May  2013  www.csoonline.com  $9.00 


;•  1010 £1,1000 1010 11010 10 10 10 10000 10 11000 110 1001 
Bo  noioioioii- 


|010111100010101 
11010101  001010110 
101011110001010 
0010111000 
10 

1010 110 10 10 1010 1011 11 1000 10 11 1000 101 110-1 10 10 10 101  Of 
00101011010101  001011000110  00101010111001 


0110011001100 
oioioio  O' 
10110011001100 
01010101  111 
110110011001 
1  100010101 
0111001110110 
0101101010101 
01100010101010 


0001011100110001101001100010110 1010101011010111 10001010x100 1100010 101 


loioioiiioooioioiio 
0101010111000 
101011110001010110 
00101110001011100110001 
0101010111 
10110101010101 
00 10101  01 
001011100010111001100011 
01010111  10101 
1-0.  iioio  10 101 11000 10101 10 10 10 101010 11 
feo  10 1  Bll  OD  Oil)  101101010101010000101100 


011010111100 


1 1000101 


OiiUO 

01010101101 0111 
1 10110011001100 
011001100 
10111001110110 
01011010101G1 
010 

1000101011001100010101 
1011 100 11 101 1001100 110Q. 
0101110001011101101010101011010111 
001100010101011100  100 


iroioioior 


11 111000101110001011 10110101010 101 10 101 M 

TECH  South  Korea  Bank  Attacks 
Put  U.S.  Banks  on  Alert  6 


RISK  Stats  Class:  How  Crunching 
Numbers  Can  Drive  Decisions  14 


LEAD  Drowning  in  Alphabet  Soup: 
When  Certifications  Don’t  Pay  Off  20 


We'll  help  your  business  security 
run  safer,  smarter  and 


Integrated  Security 


It's  time  to  turn  to  the  Number  1  team  in 
business  security:  Tyco  Integrated  Security. 

We've  got  world-class  monitoring  centers. 
Thousands  of  qualified  technicians.  And  a 
personal  passion  for  helping  you  protect  your 
business.  We'll  help  you  create  powerful 
security  solutions  that  are  customized  just 
for  you.  And  with  our  team  helping  you  run 
safer,  you  can  confidently  focus  on  the 
future  of  your  business. 

That's  sharper  thinking. 


Steve  Young 
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ACCESS  CONTROL  •  FIRE  •  INTRUSION  •  VIDEO 


www.TycolS.com  /  1.800. 2. TYCO. IS 

Ci  .201-2  Tyco  Integrated  Security.  All  Rights  Reserved.  Tyco  and  Tyco  Integrated  Security  are  marks  and/or  registered  marks 
k  Unauthorized  use  is  strictly  prohibited.  All  other  marks  are  the  property  of  thejr  respective  owners 

tV  .  .  _ _ _ 


_ 


Big  Data 
Diving 

26  Experts  say 
large-scale  security 
analytics  can  cut 
through  the  noise  to 
find  key  intelligence. 
But  it  takes  exper¬ 
tise  to  use  it  effec¬ 
tively— and  legally. 

BY  TAYLOR  ARMERDING 
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Big  Data:  The  Blessing  and  the  Curse 


As  we  were  preparing  to  send  this  issue  to  press,  tragedy 
unfolded  on  CSO’s  home  turf.  Two  bombs  exploded  at  the  finish 
line  of  the  Boston  Marathon,  killing  three  and  wounding  nearly  300. 


Our  thoughts  are  with  the  victims  and  our 
gratitude  is  with  the  first  responders  who  mini¬ 
mized  the  death  toll. 

What  does  the  attack  have  to  do  with  big 
data  investigations,  the  focus  of  this  edition? 
Quite  a  bit,  in  our  opinion. 

In  the  weeks  ahead,  you’ll  hear  a  lot  about 
the  role  of  big  data  in  this  particular  probe. 

Everything  from  video  recordings  to  cell  phone 
transmissions  have  been  added  to  the  data  pile, 
helping  law  enforcement  piece  together  what 
happened  in  the  hours  and  minutes  leading 
up  to  the  blasts.  Computers  connected  to  the 
suspects  will  likely  be  seized,  and  the  data  will 
be  sifted  through  for  insight  into  how  the  attack 
was  planned. 

That’s  the  blessing  of  big  data:  Technology  al¬ 
lows  us  to  investigate  and  pinpoint  instances  of 
failure  much  more  rapidly  than  was  possible  just 
a  few  years  ago.  It  can  lead  us  to  faster  justice, 
and  it  can  also  be  used  to  study  the  incident  re¬ 
sponse  so  we  can  see  what  went  right  and  what 
could  be  improved  next  time. 

But  as  Taylor  Armerding  reports,  big  data  can 
also  be  a  curse-a  legal  one,  specifically.  Espe¬ 
cially  in  the  business  world. 

Big  data  has  revolutionized  marketing  and 
business  operations,  so  it  makes  sense  that  it 
is  also  revolutionizing  investigations,  which  are, 
after  all,  about  collecting  and  analyzing  infor¬ 
mation.  Big-data  analytics  should  make  police 
work  faster,  easier  and  more  accurate,  right? 

Perhaps,  but  with  some  caveats.  Big  data  of¬ 
fers  big  opportunities  to  improve  investigations, 
say  numerous  CSOs  and  CISOs,  but  it  also  brings 
new  responsibilities  and  big  risks. 


As  is  often  the  case,  technology  tends  to 
outrace  the  ability  of  people  and  systems  to 
manage  and  control  it,  and  the  ability  of  gov¬ 
ernment  to  regulate  it  effectively. 

Our  hope  is  that  in  reviewing  the  risks,  se¬ 
curity  executives  will  be  able  to  dive  into  their 
big  data  more  deliberately  and  avoid  the  legal 
hassles  that  could  stand  in  the  way  of  progress. 

-Bill  Brenner,  Managing  Editor 
bbrenner@cxo.com 
Twitter:  @BillBrenner 

Correction:  Our  April  edition  of  CSO  featured 
CSO40  winner  The  MITRE  Corporation.  The  artwork 
accompanying  the  profile  mistakenly  included 
an  image  related  to  U.K. -based  Mitre  Sports. 
Additionally,  the  name  of  MITRE  Corp.'s  CSO,  Gary 
Gagnon,  was  misspelled,  and  Chris  Folk's  title 
should  have  been  listed  as  National  Protection 
Portfolio  Division  Director.  We  regret  the  errors. 
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Avigilon  saw  a 


attempting  to 


while  analog  saw 


Only  our  high-definition  surveillance  solutions  give  you  the  full  story. 

Get  the  image  detail  you  need  to  reduce  break-ins  and  keep  inventory 
secure  with  an  Avigilon  end-to-end  solution.  Our  broad  range  of 
cameras  lets  you  monitor  multiple  interior  and  exterior  environments 
to  provide  you  maximum  coverage  even  in  the  absence  of  security 
personnel.  Learn  more  about  the  benefits  of  Avigilon’s  end-to-end 
solutions  at  avigilon.com/endtoend 


aviGiLon 

THE  BEST  EVIDENCE’ 


The  Comfort  Zone 


Once  again  I  sit  down  to  write  about  a  tragedy  and  what  I 
think  you,  as  security  professionals,  can  learn  from  it. 


When  terrible  events  happen,  like  the  bomb¬ 
ings  in  Boston,  we  first  mourn  our  losses  and  do 
our  best  to  recover,  but  it's  important  that  we 
then  step  back  and  learn  whatever  we  can  from 
the  experience.  While  I  am  sure  we  will  learn 
many  lessons  from  this  tragedy  in  the  months 
to  come,  there  is  one  that  jumps  right  out  to  me 
as  we  begin  this  process:  The  comfort  zone  is  a 
dangerous,  sometimes  deadly,  place  to  be. 

Most  security  professionals  I  speak  with 
would  agree  that  as  we  get  further  away  from 
a  security  event,  the  battle  to  keep  resources 
committed  to  prevention  becomes  tougher. 

It’s  human  nature  to  want  to  move  on.  You've 
seen  it  in  your  organizations  and  in  society  at 
large.  Ten  years  ago  we  were  still  talking,  a  lot, 
about  the  tragic  events  of  9/11.  Recently...not  so 
much.  The  Boston  Marathon  bombings  are  on 
everyone’s  mind  today,  and  will  remain  there 
for  a  while.  But  will  we  still  be  vigilant  two  years 
from  now?  Five  years?  Ten  years? 

The  comfort  zone:  I  think  we’ve  all  seen  it  in 
one  way  or  another,  and  I  think  we’ve  all  been 
guilty  of  falling  into  it  on  occasion.  The  comfort 
zone  is  that  nice  warm  and  fuzzy  place  you  find 
yourself  in  when  nothing  bad  has  happened  for 
a  while.  You’ve  thwarted  all  your  cyberattacks. 
You  haven't  had  to  terminate  any  employees  for 
stealing.  No  one  is  knocking  off  your  products 
in  Asia.  Whatever  your  security  challenges  are, 
they  seem  to  have  abated. 

The  comfort  zone  is,  just  as  it  says,  a  comfort¬ 
able  place  to  be. 

Part  of  the  problem  with  the  comfort  zone 
is  that  it  causes  those  around  you  to  question 
the  need  for  what  you  do,  the  need  for  security. 


If  nothing  bad  is  happening,  is  that  because  we 
have  good  operational  security,  or  is  it  because 
nothing  bad  was  going  to  happen  anyway?  You 
may  not  be  asking  yourself  that  question,  but  I 
guarantee  your  organization's  leadership  is. 

The  challenge  is  that  we  are  never  truly  free 
of  risk,  and  the  price  of  success  is  constant 
vigilance.  That’s  why  some  people  jokingly  call 
security  professionals  paranoid.  That’s  why, 
for  more  than  11  years,  CSO  has  chronicled  the 
wins  and  losses  of  security.  Believe  me,  we’ve 
never  been  at  a  loss  for  things  to  write  about, 
and  I  don’t  believe  we  ever  will  be.  Do  your  best 
to  make  sure  that  you  never  visit  the  comfort 
zone...at  least  for  too  long. 

Our  thoughts  and  prayers  go  out  to  all  those 
affected  by  the  tragic  events  in  Boston. 

-Bob  Bragdon,  publisher 
bbragdon@cxo.com 


Advertiser  Index 

Avigilon . 3 

CSO . 23 

CSO  Perspectives . 15 

HID  Corp . C3 


Oracle  Corp . 9 

Quantum  Secure  Inc . 13 

RSA/Genesis . 17 

Sensage,  a  KEYW  company . 25 


Tyco  Integrated  Securities . C2 

VCE  Company,  LLC . C4 

Websense  Inc . 5 


Executive  Committee 

President  &  CEO  Michael  Friedenberg 

Executive  Assistant  to  the 
President  &  CEO  Pamela  Carlson 

SVP  of  Human  Resources 

Patricia  Chisholm 

SVP  of  Events  Ellen  Daly 

SVP  &  Chief  Content 
Officer  John  Gallant 

SVP  of  Digital  Brian  Glynn 

SVP  of  Strategic  Programs  & 
Custom  Solutions  Group  Charles  Lee 

SVP,  Group  Publisher&  CMO  BobMelk 

SVP  &General  Manager, 

Online  Operations  Gregg  Pinsky 

SVP  of  DEMO  Neil  Silverman 
SVP  &  COO  Matthew  Smith 

SVP  &  General  Manager, 

CIO  Executive  Council  PamStenson 

SVP  of  Digital,  & 

Publisher  SeanWeglage 

Sales 

Publisher  Bob  Bragdon 

East  Coast  Regional  Director, 
Integrated  Sales  Roz  Burke 

Sales  Director  -  West  Mary  Hazelton 
Sales  Assistant  Kelsey  Scheidemantel 

Integrated  Media  and  Online  Sales 

East  Coast  Online  Regional  Sales 
Manager  Richard  Hartman 

West  Coast  Online  Regional 
Sales  Manager  Erika  Karr 

Central  Online  Regional  Sales 
Manager  Stacy  Bryne 

Director  of  Ad  Operations  & 
Project  Management  Bill  Rigby 

Director,  Online  Account 
Services  Danielle  Tetreault 

Production 

VP  Production  Services  Chris  Cuoco 
Production  Manager  Heidi  Broadley 

Marketing 

Vice  President,  Marketing  Sue  Yanovitch 
Marketing  &  PR  Manager  Lynn  Holmlund 

List  Services 

Contact  Steve  Tozeski  of  IDG  List  Services 
at  508  820-8106  or  stozeski@idgtist.com 

Reprints  &  Permisions 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
The  YGS  Group,  800-290-5460.  ext.  100, 
cso@theygsgroup.com 


4  www.csoonline.com  MAY  2013 


Webb  Chappell 


ADVERTORIAL 


A  CSO’s  Dream  Team 

New  Resource  Gives  Back  to  InfoSec  Execs 


Lamont  Orange 

SENIOR  DIRECTOR, 
INFORMATION  SECURITY 

Lamont  Orange  serves  as  a  trusted 
security  resource  for  Websense 
customers  worldwide.  He  has  more 
than  15  years  of  experience  in  the 
information  security  industry, 
including  leadership  roles  at  Charter 
Communications  and  Ernst  &  Young. 


Learn  More 


Engage  the  Office  of  the  CSO  to 
learn  what  Websense  is  doing  to 
protect  its  own  personnel  and 
intellectual  property,  as  well  as 
how  to  incorporate  best  practices 
and  proven  technologies,  identify 
vulnerabilities  and  align  security 
initiatives  with  corporate  IT  and 
business  plans. 

Visit  www.websense.com/cso 
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When  Lamont  Orange  left  his  post  as 
vice  president  of  enterprise  security  of 
one  of  the  nation’s  largest  cable  TV 
providers  last  year,  he  did  it  to  give  back 
to  an  industry  and  profession  that  had 
long  supported  him.  Orange  joined  the 
Websense  Office  of  the  CSO,  a  powerful 
new  ally  for  enterprise  organizations  in 
the  fight  against  cybercrime. 

“I  joined  the  Office  of  the  CSO  because  I 
felt  that  Websense  has  mature  solutions 
for  complex  and  persistent  threats,”  he 
explained.  “The  Websense  approach  to 
meeting  the  security  challenges  of  today 
and  tomorrow  is  spot  on.  I  also  appreci¬ 
ate  the  commitment  to  helping  CSOs 
succeed.” 

In  creating  the  Office  of  the  CSO, 
Websense  Chief  Security  and  Strategy 
Officer  Jason  Clark’s  goal  was  to  serve 
the  CSO  community  by  proffering  the 
expertise  and  collaboration  of  a  hand¬ 
picked  team  of  information  security 
executives.  “We  believe  the  book  on 
security  was  written  so  long  ago,  things 
need  to  change,”  he  explained.  “So  we 
show  innovative  new  approaches  to 
stopping  threats,  and  help  other  CSOs 
rethink  how  they  do  security.” 

Combined,  Orange  and  his  six 
teammates  have  decades  of  security 
leadership  experience  at  global  organiza¬ 
tions  including  The  New  York  Times, 
Zale  Corporation  and  Deutsche  Bank. 

In  addition  to  mentoring  the  greater 
security  community,  each  has  specific 
security  duties  within  Websense;  as 
senior  director  of  information  security, 
Orange  is  charged  with  running  the 
company’s  internal  security  program. 

Orange’s  roots  with  Websense  run  deep. 
At  Charter  Communications,  he  was 
responsible  for  securing  his  organiza¬ 
tion’s  confidential  information,  including 
its  intellectual  property  and  customer 
records,  and  for  ensuring  compliance. 
Websense  was  his  go-to  solution  for 
managing  employees’  Web  access. 


It  was  top-notch  technology  that 
Websense  had  built  its  reputation  on. 
But  as  cybercriminals  began  crafting 
more  advanced  attacks,  Orange  also 
needed  a  solution  that  could  protect 
against  the  advanced  threats  and  mal¬ 
ware  that  were  beginning  to  appear. 
Websense®  TRITON™  technology 
proved  to  be  the  solution  he  was 
looking  for. 

“Other  vendors  said  they  could  help 
me,”  said  Orange.  “However,  the 
Websense  team  showed  me  innovative 
concepts  that  would  enable  me  to  assess 
risk  and  understand  how  effective  my 
current  controls  were.  They  also  helped 
me  figure  out  where  my  next  process, 
people  and  technology  investments 
needed  to  go.” 

In  proof-of-concept  testing,  Websense 
technology  quickly  revealed  that 
Orange’s  organization  had  some  signifi¬ 
cant  security  blind  spots.  The  TRITON 
technology  also  proved  more  adept  at 
catching  the  “worst  kind”  of  malware,  he 
said,  while  competing  solutions  “seemed 
to  be  focused  on  a  bunch  of  benign  mal¬ 
ware. ..The  results  were  eye-opening.” 

He  shared  the  test  results  with  his 
executives  and  was  able  to  convince 
them  that  there  was  a  “clear  and  present 
danger”  facing  the  organization. 

“It  allowed  me  to  have  an  educational 
moment  with  the  team,  and  educational 
moments  always  help  further  secure  a 
company,”  said  Orange. 

It  also  helped  him  realize  his  hard-won 
security  experience  could  be  put  to  good 
use  educating  other  organizations. 

The  Office  of  the  CSO  is  helping  him 
fulfill  that  goal. 

“Every  one  of  us  in  the  Office  of  the  CSO 
has  practiced  the  craft,”  said  Orange. 
“Because  we  understand  the  role  and 
its  challenges,  we  can  help  CSOs  better 
than  those  whose  expertise  is  based 
solely  on  academia  and  theory.”  ■ 
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After  South  Korea  Bank  Attacks, 
U.S.  Banks  Should  be  on  Alert 

Simple  malware  wreaked  havoc  in  South  Korea,  and  U.S.  banks  are  facing  more  sophisticated  attacks 
BY ANTONE GONSALVES 


THE  SIMPLICITY  OF  THE  MALWARE 
that  paralyzed  the  computer  networks  of 
three  banks  and  two  broadcasters  in  techni¬ 
cally  sophisticated  South  Korea  is  a  warning 
that  U.S.  corporations  need  to  rethink  security. 

The  cybercriminals  did  nothing  out  of  the 
ordinary  in  penetrating  the  organizations’  de¬ 
fenses  in  March.  They  used  existing  malware 
called  “DarkSeoul,"  changed  its  signature  to 
evade  the  organizations’  firewalls  and  anti¬ 
virus  software,  and  targeted  a  well-known 
vulnerability  in  Internet  Explorer. 

“In  South  Korea,  it  was  a  malware  that  I 
think,  if  you  say  that  it  took  more  than  one 
working  day  to  write,  it  means  the  developer 


was  not  very  bright,"  says  Barry  Shteiman, 
a  senior  security  strategist  for  Imperva.  The 
malware  was  capable  of  infecting  Windows, 
Unix  and  Linux  servers,  as  well  as  PCs,  Syman¬ 
tec  reports.  Once  in  the  computer,  the  mal¬ 
ware  destroyed  the  master  boot  record  on  the 
hard  drive,  causing  it  to  crash  and  become  un¬ 
able  to  turn  back  on.  As  a  result,  employees  at 
the  South  Korea’s  two  leading  television  sta¬ 
tions,  Korean  Broadcasting  Systems  and  MBC, 
were  left  staring  at  blank  screens,  although 

Onetime  destruction 
was  the  goal. 


normal  broadcasts  continued,  the  New  York 
Times  reports.  Shinhan  Bank,  the  country’s 
fourth-largest  bank,  reported  its  Internet 
banking  servers  were  temporarily  blocked. 

Two  other  banks,  NongHyup  and  Jeju, 
reported  computers  at  some  branches  were 
paralyzed  for  a  couple  of  hours. 

It’s  not  known  how  the  malware  got  into 
the  computer  systems.  Criminals  typically 
send  malware  in  carefully  crafted  emails 
meant  to  trick  recipients  into  opening  at¬ 
tachments  or  visiting  malicious  websites.  A 
saboteur  may  also  have  installed  the  malware 
through  a  USB  drive. 

But  no  matter  the  method,  the  criminals 
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were  able  to  bypass  the  companies'  defensive  technology  that 
is  meant  to  catch  malware  before  it  reaches  computer  systems, 
which  allowed  them  to  wreak  havoc  using  basic  technology. 

Because  no  organization's  defenses  are  impenetrable,  com¬ 
panies  need  to  think  about  security  as  not  just  stopping  an  at¬ 
tack  from  the  outside,  but  also  as  uncovering  malware  once  it 
gets  in,  experts  say. 

Companies  should  work  from  the  assumption  that  their 
computer  systems  are  already  infected,  which  means  they 
need  to  constantly  examine  hardware  and  software  audit  logs 
to  track  information  that  has  left  the  network  to  look  for  ab¬ 
normalities,  says  James  Gabberty,  a  professor  of  information 
systems  at  Pace  University. 

In  addition,  penetration  testing  should  be  performed  regu¬ 
larly  to  catch  system  vulnerabilities  before  they  are  exploited. 

Other  precautions  include  identifying  where  critical  data 
is  stored  in  a  network.  For  banks,  that  would  mean  knowing 
where  the  transactional  data  and  customer  data  is  sitting  and 
wrapping  it  in  security  technology  so  it  can't  be  easily  accessed 
by  malware,  says  Shteiman,  the  Imperva  strategist. 

It’s  not  yet  known  where  the  attacks  on  the  South  Korean 
companies  originated.  The  country’s  longtime  enemy,  North 
Korea,  is  a  suspect.  Other  experts  say  code  used  in  the  mal¬ 
ware  is  distinctly  Chinese.  Whatever  the  origin,  the  attacks 
weren’t  designed  to  steal  information,  but  rather  to  wreak 
havoc,  much  like  the  Cyber  Fighters  of  Izz  ad-Din  al-Qassam, 
an  Islamic  group  that  has  launched  waves  of  distributed  de¬ 
nial  of  service  (DDoS)  attacks  against  major  U.S.  banks  over 
the  past  seven  months. 

Targets  include  Bank  of  America,  PNC  Financial,  Capital 
One  Financial,  JPMorgan  Chase  and  Citigroup.  While  there’s  no 
known  connection  between  the  attacks,  they  show  how  crimi¬ 
nals  will  adopt  different  strategies  depending  on  what  they 
want  to  accomplish.  The  DDoS  attacks  on  U.S.  banks  were 
more  advanced  technically,  but  the  attackers  of  the  South 
Korean  banks  did  much  more  damage.  “At  the  end  of  day,  the 
sophistication  doesn’t  particularly  matter,"  says  Dan  Holden, 
director  of  security  research  at  Arbor  Networks.  “The  motiva¬ 
tion  dictates  how  sophisticated  the  attack  needs  to  be.” 

In  the  U.S.  bank  attacks,  the  motivation  appears  to  be  a 
continuous  harassment  and  constant  probing  for  weaknesses 
in  the  bank's  online  systems.  In  South  Korea,  onetime  destruc¬ 
tion  was  the  goal. 

The  third  wave  of  attacks  against  U.S.  banks  started  again 
in  February  after  a  one-month  suspension.  In  the  latest  as¬ 
sault,  the  attackers  are  constantly  changing  targets  at  the 
application  layer  of  the  website,  rather  than  focusing  on  just 
one  for  a  period  of  time,  Holden  says.  The  format  of  the  bogus 
data  sent  to  try  to  overwhelm  Web  servers  is  also  changing 
constantly.  -Antone  Gonsalves 


Experts  Applaud  Apple’s 
Two-Factor  Authentication 

APPLE  HAS  FOLLOWED  THE  LEAD  OF  RIVALS  LIKE 
Facebook,  Google  and  Microsoft,  offering  two-step  authentica¬ 
tion  to  help  customers  secure  their  Apple  IDs  against  hacking. 

The  new  feature  is  designed  to  block  unauthorized  changes 
to  iCloud  or  iTunes  accounts,  and  keep  hackers  who  steal  Apple 
IDs  from  purchasing  digital  content  or  hardware  using  the  credit 
cards  stored  in  customers’  iTunes  and  Apple  Store  profiles. 

iTunes  users  in  particular  have  complained  for  years  about 
security  so  lax  that  hackers  have  easily  hijacked  their  accounts 
to  run  up  big  bills. 

Security  experts  commended  Apple,  even  though  it  was  slow 
to  pull  the  trigger.  “Always  exciting  to  see  a  major  consumer- 
oriented  service  roll  out  some  sort  of  two-factor  authentica¬ 
tion,”  said  Jon  Oberheide,  co-founder  and  CTO  of  Duo  Security,  a 
developer  of  authentication  software,  in  an  email.  “Rolling  your 
own  two-factor  definitely  isn’t  a  trivial  task,  both  from  an  up¬ 
front  engineering  cost  and  continued  support  and  maintenance, 
despite  the  perceived  ease  from  an  external  view.” 

Two-factor  authentication— sometimes  called  two-step  veri¬ 
fication — is  a  more  demanding  method  of  locking  an  account 
than  a  password-only  process.  In  enterprises,  for  instance, 
two-factor  relies  on 
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hardware  tokens  that 
generate  passcodes, 
which  are  valid  for  just 
moments  and  must  be 
entered  along  with  the 
usual  password. 

But  Web  services 
don’t  distribute  to¬ 
kens.  Instead, they 
send  a  passcode  to  a 
mobile  phone  number 
the  account  owner  has 
set  earlier.  The  passcode  is  typically  sent  as  a  text  message. 

Apple’s  optional  two-factor  authentication  uses  that  same 
approach,  but  also  will  send  the  passcode  to  an  iOS  device  via 
the  Find  My  iPhone  app’s  notification  feature.  Find  My  iPhone  is 
normally  used  to,  not  surprisingly,  help  users  locate  lost,  stolen 
or  misplaced  devices. 

That  feature  drew  accolades  from  the  experts.  “Using  a  na¬ 
tive  app  for  two-factor  authentication,  like  Find  My  iPhone,  is  a 
much  better  approach  than  simply  relying  on  SMS,  which  has  a 
number  of  security  and  reliability  concerns,”  said  Oberheid. 

—Gregg  Keizer 
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Bill  Brenner,  managing  editor 
CSOonline's  Salted  Hash  blog  and  newsletter  covers 
the  news  as  it  happens:  blogs.csoonline.com/btog/cso 
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The  Spamhaus  DDoS  Is  History’s 
Biggest  Attack...Since  the  Last  One 


TO  ALL  YOU  VENDORS  AND  PR  FOLKS 
filling  my  inbox  with  alarming  emails  about 
how  the  biggest  distributed  denial-of-service 
(DDoS)  attack  in  history  is  unfolding:  Step 
back  and  take  a  breath. 

If  not  for  my  thick  skin  and  cast-iron  belly, 
I'd  have  lost  my  breakfast  one  morning  over 
all  the  emails  I  was  getting  about  the  DDoS 
attack  that  started  with  a  fight  between 
Spamhaus  and  its  enemies. 

I'm  getting  emails  with  subject  lines  like, 
“The  biggest  Internet  attack  in  history”  and, 

“An  attack  that  threatens  the  underpinnings  of 
the  Internet.” 

The  news,  as  we  reported,  goes  like  this: 

A  tiff  between  a  Dutch  company  and 
Spamhaus,  which  blacklists  spammers,  has 
turned  into  a  cyberattack  of  epic  proportions. 

“The  DDoS  attack  spread  from  the  Spam¬ 


haus  website  to  the  rest  of  the  Internet,  re¬ 
portedly  affecting  millions  of  rank-and-file 
Internet  users.  Spamhaus  became  the  target 
of  the  attack  after  it  blacklisted  CyberBunker, 
a  Dutch  company,  as  a  source  of  spam,  the 
New  York  Times  reported.  CyberBunker  ap¬ 
pears  to  be  a  wide-open  hosting  service  that 
will  allow  anyone  to  set  up  a  website  on  its 
servers,  save  for  pornographers  and  terrorists. 

“Although  little  is  known  about  the  group 
behind  the  cyber  fray,  an  Internet  activist, 
Sven  Olaf  Kamphuis,  who  claimed  to  be  a  rep¬ 
resentative  for  the  attackers,  told  the  Times 
the  assault  was  in  retaliation  for  Spamhaus 
‘abusing  their  influence.’ 

“The  DDoS  attack,  which  may  be  the  largest 
ever  seen  in  cyberspace,  exploits  the  archi¬ 
tecture  of  the  Internet  to  marshal  enormous 
amounts  of  traffic  that  can  be  aimed  at  a 


website  to  disrupt  service  to  it.” 

True,  this  is  a  pretty  big  attack.  True, 
it’s  causing  slowdowns  for  a  lot  of  people. 

But  the  biggest  and  most  damaging?  I  heard 
that  about  the  biggest  DDoS  of  last  week. 
And  the  week  before.  And  last  month.  You  get 
the  picture. 

We  do  need  awareness  when  these  at¬ 
tacks  happen  because  infosec  practitioners 
need  the  details  to  take  appropriate  action. 
But  panic  will  never  help  them  do  their  jobs. 
FUD  usually  has  two  outcomes:  Some  people 
become  desensitized  and  start  to  ignore  their 
news  feeds,  leaving  them  open  to  peril  when 
something  serious  is  afoot;  others  become 
overwhelmed.  When  you  become  over¬ 
whelmed  on  the  job,  you  make  mistakes. 

Let's  dial  the  FUD  down  a  few  notches  and 
carry  on. 


Research  Shows  a  Mere  5  Percent  of  Java-Enabled  Browsers  Are  Up-to-Date 


MOST  BROWSER  INSTAL- 
lations  use  outdated  versions  of 
the  Java  plug-in  that  are  vulner¬ 
able  to  at  least  one  of  several 
exploits  currently  used  in  popu¬ 
lar  Web  attack  toolkits,  accord¬ 
ing  to  statistics  from  security 
vendor  Websense. 

The  company  recently  used 
its  threat  intelligence  network, 
which  monitors  billions  of 
Web  requests  originating  from 
tens  of  millions  of  endpoint 
computers  protected  by  its 
products,  to  detect  which  Java 
versions  are  installed  on  its 
users’  systems  and  are  running 


on  their  Web  browsers. 

Websense  provides  Web  and 
email  gateway  security  products 
for  businesses,  but  it  also  has  a 
partnership  with  Facebook  to 
scan  links  on  the  social  net¬ 
working  site  for  malicious  m 

content.  ^ 

The  Java  telem- 
etry  data  gathered 
by  Websense  showed 
that  only  5.5 
percent  of  Java- 
enabled  browsers 
are  using  the  most  up-to- 
date  versions  of  the  software’s 
browser  plug-in-Java  7  Update 


17  and  Java  6  Update  43. 

These  two  versions  were 
:ts  released  on  March  4  to 
a  \  address  a  vulnerability 
1  that  was  already  being 

exploited  in  active 
f  f  attacks. 

\  According  to  Web- 

^  sense,  an  exploit 

3  for  that  vulner- 
^  ability  has  since 
been  integrated 
—  into  the  Cool  Ex¬ 

ploit  Kit,  a  Web 
attack  toolkit  used  by 
cybercriminals  to  launch  mass 
drive-by  download  attacks  that 


infect  computers  with  malware 
when  they  visit  compromised  or 
malicious  websites. 

Cool  Exploit  Kit  is  a  high-end 
attack  toolkit  that  requires  a 
subscription  of  $10,000  per 
month,  so  it’s  possible  that  not 
many  cybercriminals  can  af¬ 
ford  it. 

However,  Websense’s  data 
shows  that  a  large  number  of 
Java-enabled  browser  instal¬ 
lations  are  also  vulnerable  to 
exploits  that  are  used  in  much 
cheaper  and  more  popular  ex¬ 
ploit  kits. 

-Lucian  Constantin 
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Managing  Security  from 
the  Inside  Out 


Market 

Pulse 


As  enterprise  networks  become  even  more  complex, 

IT  organizations  are  being  challenged  to  transform  their 
security  strategy  to  keep  pace.  Instead  of  only  thinking 
about  "doors"  and  network  security,  IT  organizations 
need  to  refocus  attention  on  their  business's  most  stra¬ 
tegic  assets:  the  applications  and  data  in  the  enterprise. 

When  criminals  breach  a  network,  they  target 
databases  and  weak  user  access  controls  as  a  means 
to  acquiring  valuable  information  assets.  By  not  aligning 
security  budgets  with  their  organization's  most  valu¬ 
able  assets  -  the  information  stored  in  databases, 
applications  and  servers  -  security  teams  are  leaving 
the  enterprise  vulnerable  to  attacks  from  inside  and 
attack  vectors  that  bypass  the  perimeter.  The  attacks 
take  advantage  of  weak  user  access  controls  to  critical 
systems  and  applications. 

"Much  of  the  budget  spent  on  IT  security  today  is 
reactive,"  says  Naresh  Persaud,  director  of  product 
marketing  security  at  Oracle.  "When  criminals  break 
in,  organizations  focus  on  responding  to  the  crime,  but 
spend  little  attention  on  long-term  strategic  activity  to 


Allocation  of  Resources  by 
Vulnerability  Layer 
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protect  the  information  assets  and  the  databases." 

The  majority  of  respondents  in  a  new  CSO  Market  Pulse 
survey  acknowledge  that  the  biggest  potential  damage 
to  their  business  lies  at  the  database  layer  of  their  IT 
infrastructure.  Yet  among  their  budget  allocations  are 
the  opposite  of  where  risks  are  perceived:  Two-thirds 
of  IT  security  resources  -  including  budget  and  staff 
time  -  are  allocated  to  protecting  the  network  layer, 
with  the  remaining  third  split  among  applications, 
databases  and  middleware. 

The  gap  between  the  threat  of  severe  damage 
from  a  database  attack  vs.  the  resources  allocated  to 
protecting  the  database  layer  highlights  a  disconnect  in 
how  organizations  are  securing  their  IT  infrastructures. 

An  inside-out  approach  could  help  security  chiefs 
address  this  challenge.  There's  a  growing  imperative 
for  CSOs  and  ClSOs  to  rebalance  security  resources 
to  improve  safeguards  around  corporate  information 
assets.  Securing  access  to  customer  data,  intellectual 
property  and  financial  data  at  the  source  can  save 
companies  time  and  money. 

What's  the  best  path  to  developing  an  inside-out 
approach  to  security?  There  are  three  steps  CSOs 
and  ClSOs  can  take  to  realign  their  resources  and 
increase  confidence  in  the  robustness  of  their 
security  infrastructure.  ■ 


For  more  information:  please  visit 

www.oracle.com/security. 


___  Oracle  Database  Security  & 

oracle  Identity  Management 
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Sandboxing  Tech  Is  No  Silver  Bullet  for 
Detecting  Malware,  But  It  Still  Has  Its  Uses 


THE  SECURITY  TECHNOLOGY  CALLED  SANDBOXING  AIMS 
to  detect  malware  by  making  it  run  in  a  quarantined  system  so  the 
software  can  be  analyzed  for  behavior  and  traits  that  are  characteristic 
of  malware.  This  alternative  to  traditional  signature-based  malware 
defense  is  seen  as  particularly  useful  for  spotting  zero-day  malware 
and  stealthy  attacks. 

While  the  technique  is  often  effective,  it's  hardly  foolproof,  ac¬ 
cording  to  Christopher  Kruegel,  an  associate  professor  of  computer 
science  at  the  University  of  California  at  Santa  Barbara  and  a  security 
researcher  who  helped  establish  the  sandboxing  technology  used  by 
startup  Lastline. 

When  it  comes  to  malware  detection,  “a  sandbox  shouldn’t  be 
considered  a  silver  bullet,”  says  Kruegel,  who  is  chief  scientist  at 
Lastline.  His  admonition  comes  at  a  time  when  the  sandbox  approach, 
typically  applied  to  email,  is  getting  more  attention  as  a  way  to  un¬ 
cover  stealthy  zero-day  attacks  intended  to  compromise  organizations 
and  steal  data. 

FireEye,  Trend  Micro,  Palo  Alto,  GFI,  AhnLab,  Damballa,  Norman  and 
Sourcefire  are  among  the  security  firms  with  some  form  of  sandboxing; 
McAfee  recently  acquired  ValidEdge  to  expand  its  own  approach. 

But  malware  authors  are  aware  of  sandboxing  and  they’re  coming 
up  with  various  ways  to  evade  that  form  of  detection,  Kruegel  warns, 


as  part  of  what  he  says  is  a  security  arms  race. 

The  methods  used  by  the  creators  of  malware  to  help  their  software 
evade  detection  include: 

Stalling  code.  According  to  Lastline,  “this  new  evasive  technique- 
delays  the  execution  of  malicious  code  so  that  a  sandbox  times  out. 
However,  to  do  this,  the  malware  does  not  simply  sleep.  Instead, 
the  malware  performs  some  (useless)  computation  that  gives  the  ap¬ 
pearance  of  activity.” 

The  stalling  technique  works  because  it  “simply  executes,  and 
from  the  point  of  view  of  the  malware  analysis  system,  everything 
is  normal.” 

A  blind  spot  in  the  sandbox  implementation.  To  monitor  mal¬ 
ware,  “a  sandbox  introduces  hooks,”  Lastline  says.  “These  hooks  can 
be  inserted  directly  into  a  program  to  get  notifications  (callbacks)  for 
function  or  library  calls.  The  problem  with  direct  hooks  is  that  the  pro¬ 
gram  code  needs  to  be  modified,  and  this  can  be  detected  by  malware 
or  interfere  with  dynamic  code  generation  (unpacking).” 

But  the  main  problem  with  hooking  system  calls  is  that  “the  sand¬ 
box  cannot  see  any  instruction  that  the  malware  executes  between 
calls.  This  is  a  significant  blind  spot  that  malware  authors  can  target: 
and  they  do  so  with  stalling  code.” 

Novel,  zero-day  “environmental  checks.”  These  are  tools  re¬ 
lated  to  the  operating  system  and  they  manipulate  the 
return  value  as  an  evasive  maneuver.  Vendors  have  to 
patch  their  sandbox  to  catch  malware  equipped  with 
this  kind  of  tool,  according  to  Lastline. 

Lastline  seeks  to  address  these  sandbox-evasion 
tricks  in  the  Previct  appliance  it  offers,  but  Kruegel  ac¬ 
knowledges  “there  is  no  100  percent  security.” 

Some  information-security  managers  say  they  ap¬ 
preciate  sandboxing  as  a  defensive  technology  but 
don’t  seem  to  have  any  illusions  that  it  is  going  to  be 
perfect  in  detecting  and  stopping  malware. 

“Sandboxing  will  get  some  of  it,”  says  Brad  Stroeh, 
senior  network  security  engineer  at  First  Financial 
Bank,  a  Sourcefire  customer,  in  discussing  a  wide 
variety  of  security  approaches  and  the  trust  he  places 
in  them. 

It’s  worthwhile  to  subject  malware  to  a  sandbox 
test  whenever  possible,  and  it’s  useful  as  part  of  the 
overall  defensive  process.  But  since  malware  could  by¬ 
pass  sandbox  checks,  it  only  makes  sense  to  use  other 
malware-detection  methods  as  well. 

-Ellen  Messmer 
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Think  Layers  of  Security  Are  All  That?  Think  Again 

says.  “It’s  not  performing  as  well  as  it  should, 
and  that’s  because  there’s  different  layers  of 
that  security  model  where  the  vendors  aren’t 
producing  what  they’ve  gone  to  market  claim¬ 
ing  they  can  do.” 

Experts  have  pointed  out  the  weakness  of 
a  defense-only  strategy  many  times,  most  re¬ 
cently  with  the  attacks  on  South  Korean  banks. 
While  firewalls,  intrusion-prevention  systems 
and  antivirus  software  catch  a  lot  of  malware, 
companies  should  assume  some  malicious 
code  has  gotten  through  to  infect  systems. 

Experts  recommend  monitoring  hardware 
and  software  audit  logs  for  abnormalities.  In 
addition,  systems  where  critical  data  is  stored 
should  be  wrapped  in  their  own  security  to 
prevent  malware  from  penetrating. 

To  improve  layered  defenses,  Artes  recom¬ 
mends  making  sure  products  are  kept  up  to 
date  and  the  latest  malware  signatures  have 
been  installed.  In  addition,  companies  should 
test  vendors'  products  as  rigorously  as  pos¬ 
sible.  -Antone  Gonsalves 


NSS  LABS,  A  SECURITY  RESEARCH 
and  advisory  firm,  has  found  that  the  layers 
of  malware-catching  technology  that  start  at 
the  perimeter  of  the  corporate  network  and 
end  at  the  desktop  will  always  fail  to  catch 
some  exploits. 

In  testing  all  the  major  technologies  used 
by  corporations,  NSS  found  that  some  of  the 
1,800  pieces  of  serious  malware  it  tested 
always  managed  to  get  through,  no  matter 
what  combination  of  products  was  used. 

The  typical  layered  defense  comprises  a 
couple  of  firewalls,  an  intrusion-prevention 
system,  a  next-generation  firewall,  security 
built  into  browsers  and  antivirus  software  on 
the  desktop  or  notebook.  “Regardtess  of  the 
number  of  layers  I  add  into  my  security  kill 
chain,  things  are  still  going  to  get  through," 
says  Frank  Artes,  research  director  of  NSS.  The 
term  “kill  chain"  refers  to  the  idea  that  mal¬ 
ware  missed  by  one  layer  will  be  caught,  or 
killed,  by  the  next  layer. 

All  the  malware  used  in  testing  various  lay¬ 


ers  of  technology  had  CVE  numbers,  meaning 
they  were  known  exploits.  Some  were  more 
than  6  years  old,  yet  were  still  missed  by  the 
IPSes,  firewalls,  and  so  on. 

The  lab  did  not  research  why  each  prod¬ 
uct  missed  a  particular  malware.  In  general, 
products  fail  because  the  malware’s  signature 
doesn’t  match  what’s  in  the  technology’s 
database.  The  absence  of  a  match  is  why 
malware  variants  and  previously  unknown 
exploit  codes  gets  through  antivirus  and  other 
security  software. 

NSS  built  a  model  in  which  subscribers 
can  test  many  combinations  of  technologies 
across  several  layers  to  see  which  malware 
gets  through.  For  companies  looking  to  re¬ 
place  technology,  the  model  is  helpful  in  de¬ 
termining  how  their  configuration  will  perform 
when  the  new  products  are  used  with  their 
existing  technology. 

Don’t  think  the  findings  show  that  layered 
technology  is  useless,  however.  "Layered  secu¬ 
rity  still  makes  the  most  logical  sense,"  Artes 
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New  Malware  Keeps  Android  in  the  Crosshairs, 
Targets  Political  Activists  for  Cyberespionage 


RECENTLY  DISCOVERED  AN- 
droid  malware  used  in  targeted  at¬ 
tacks  against  Tibetan  and  Uyghur 
activists  in  Europe  is  a  warning  to 
U.S.  companies  that  mobile  devices 
will  likely  be  targeted  in  future  cy¬ 
berespionage  attacks,  experts  say. 

Kaspersky  Lab  discovered  the 
malware  while  looking  into  a  spear 
phishing  campaign;  the  investiga¬ 
tion  stemmed  from  the  March  24 
hack  of  the  email  account  of  a  high- 
profile  Tibetan  activist. 

In  the  attack  emails  sent  to  activ¬ 
ists,  the  security  company  found  an 
attachment  carrying  a  malicious  ;  ;; 

program  for  Android.  The  activists  ^ 
are  protesting  China’s  treatment  of 
Tibetans  and  the  Uyghurs,  a  Turkic  ethnic 
group  in  China. 

In  the  past,  Kaspersky  has  documented 
attacks  targeting  activists  on  Windows  and 
Mac  OS  X  platforms.  These  attacks  typi¬ 
cally  use  zip  files,  as  well  as  Word,  XLS  or 
PDF  documents  rigged  with  exploits. 

“Since  this  was  the  first  publicly  docu¬ 
mented  Android-based  targeted  attack, 
we  will  inevitably  see  more  of  them,”  says 
Kurt  Baumgartner,  a  senior  security  re¬ 
searcher  for  Kaspersky. 

Characteristics  of  the  campaign  were 
similar  to  those  seen  in  cyberespionage 

“Since  this  was  the  first 
publicly  documented 
Android-based  targeted 
attack,  we  will  inevitably 
see  more  of  them.” 

-KURT  BAUMGARTNER, 

SENIOR  SECURITY 
RESEARCHER,  KASPERSKY 


attacks  targeting  U.S.  organizations, 
Baumgartner  says,  although  he  declined 
to  provide  details.  “Given  this,  there  is  a 
high  probability  that  these  Android-based 
attacks  will  be  modified  and  re-used  for 
future  attacks.” 

The  email  attachment  targeting  Android 
devices  carried  an  Android  Package  (APK) 
file  used  to  distribute  and  install  software 
on  Google’s  mobile  operating  system.  The 
malware-carrying  message  tried  to  trick 
recipients  into  opening  that  attachment  by 
pretending  that  it  contained  information 
on  a  recent  human  rights  conference  in  Ge¬ 
neva,  Kaspersky  says. 

If  opened,  the  attachment  showed  a 
bogus  message  from  Dolkun  Isa,  chairman 
of  the  executive  committee  of  the  World 
Uyghur  Congress.  In  the  background,  the 
malware  reported  the  infection  to  a  com- 
mand-and-control  server  and  then  started 
harvesting  data  from  the  device,  including 
contacts,  call  logs,  text  messages,  geoloca¬ 
tion  and  phone-related  data,  such  as  its 
phone  number,  OS  version  and  model. 

Kaspersky  could  not  identify  the  attack¬ 


ers,  but  given  the  targets,  the  malware 
mostly  likely  originated  in  China,  experts 
say.  Chinese  hackers  are  active  in  cyberes¬ 
pionage  and  are  innovators  in  the  field. 

“China  is  going  to  be  the  breeding  ground 
for  new  malware,”  says  Sean  Sullivan,  a  se¬ 
curity  adviser  for  F-Secure. 

Chinese  hackers  have  been  particularly 
focused  on  mobile  devices,  Sullivan  says. 
“They  are  the  innovators  of  new  types  of 
threats  for  mobile  platforms." 

Rick  Holland,  an  analyst  with  Forrester, 
says  the  latest  attack  is  probably  not  the 
first  one  to  target  Android.  “It’s  just  the 
first  evidence  we  have  found  thus  far.” 

While  it  seems  Android  has  not  yet  been 
targeted  in  cyberattacks  on  U.S.  organiza¬ 
tions,  the  Kaspersky  discovery  shows  it  can 
be  done  and  companies  should  consider  that 
possibility  when  formulating  their  bring- 
your-own-device  policies,  Sullivan  says. 

“It’s  going  to  be  difficult  [for  companies] 
to  deny  or  push  back  against  the  bring- 
your-own-device  movement,  but  it  can’t  be 
just  an  open  slate,”  he  says. 

—Antone  Gonsalves 
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Stats  Class:  How  Crunching 
Numbers  Can  Drive  Decisions 


As  security  and  risk  management 
get  more  complex,  the  art  and 
science  of  statistical  analysis  is 
gaining  importance 

BY  GEORGE  V.  HULME 

NOT  TOO  LONG  AGO,  MAKING  SMART 
security  decisions  seemed  easier. 

Systems  on  the  local  network  needed  to  be 
patched,  anti-malware  software  needed  to  be 
deployed,  intrusion  detection  and  prevention 
systems  had  to  be  in  place  at  strategic  net¬ 
work  points,  and  virtual  private  networks  had 
to  be  set  up  to  protect  point-to-point  com¬ 
munications.  There  was  a  baseline  level  to  IT 
security  maturity-and  most  everybody  wasn’t 
there  yet.  And  as  a  result,  the  budget  that  was 
available  needed  to  be  spent  on  the  basics. 

Today,  the  equation  is  much  different. 

Most  organizations  now  have  the  basics  in 
place,  but  deciding  where  to  spend  the  secu¬ 
rity  budget  to  reduce  the  most  risk  has  grown 
more  complex.  How  do  organizations  know 
that  they  aren’t  under  spending  on  IT  securi¬ 
ty?  How  do  they  know  they  aren’t  overspend¬ 
ing?  How  do  risk  managers  know  what  time  of 
year  is  the  best  time  to  kick  off  a  new  security 
awareness  program?  Or  whether  the  recent 
budget  windfall  would  be  better  spent  hard¬ 
ening  the  physical  security  around  the  data 
center,  or  bolstering  supply-chain  security? 

This  is  where  decisions  supported  by 
carefully  cultivated  statistics  can  shine.  So 
welcome  to  Stats  Class,  where  we  hope  to 
introduce  you  to  some  of  the  key  concepts  of 
applying  statistics  to  risk  management. 

When  done  correctly,  proponents  say 


statistics  can  be  a  valuable  tool  in  the  risk 
manager’s  decision-support  arsenal.  Done 
incorrectly,  they  warn,  and  it  can  lead  to  in¬ 
creasingly  poor  decision  making. 

Today’s  lesson:  the  tactical  versus  strategic 
use  of  statistics  in  risk  management. 

Applying  statistics  to  tactical  security. 
Whether  it’s  through  a  security  information 
and  event  management  (SIEM)  system,  a 
data  warehouse,  a  spam  filter,  or  any  of  a 


number  of  other  defensive  technologies,  sta¬ 
tistics  and  mathematical  decisions  are  used 
every  day  to  make  tactical  decisions.  Is  a  cer¬ 
tain  application  transaction  allowed?  Should 
a  network  connection  be  blocked?  Does  this 
event  need  to  be  flagged?  “These  are  all  very 
tactical,  but  very  instantaneous  decisions 
made  in  near-real  time  without  a  lot  of  analy¬ 
sis  given,"  says  Alex  Hutton,  director  of  tech¬ 
nology  and  operations  risk  Zions  Bancorp. 
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Risk 


“An  example  would  be  when  the  SIEM 
notices  a  system  is  at  400  percent  of  normal 
utilization  and  it’s  2:00  a.m.  and  the  system 
is  trying  to  make  suspicious  connections.  And 
with  all  of  these  attributes  known,  you  infer 
the  probability  that  an  activity  is  good  or 
bad,  and  then  automate  your  response,” 
Hutton  says. 

And  the  more  data  you  can  throw  at  these 
decision-making  processes,  the  better  your 
models  will  become,  says  Hutton.  “When  you 
add  job  role  context  to  access  decisions,  for 
instance,  you  can  make  even  better  decisions, 
as  you  know  there  is  no  reason  why  an  individ¬ 
ual  with  a  certain  job  needs  to  be  accessing  a 
server  at  that  time.  Or  the  system  can  identify 
that  a  worker  left  the  building  hours  ago,  yet 
their  desktop  is  still  active  online.  These  are 
all  tactical  risk  decisions,”  Hutton  says. 

Using  statistics  strategically.  Using  sta¬ 
tistics  to  support  risk  management  strategy  is 
very  different  from  using  them  to  support  ex¬ 
ecutive  decisions,  Hutton  explains.  "For  stra¬ 
tegic  decision  support,  what  you’re  looking  at 
now  is  less-quality  data,  but  there  is  no  less  a 
need  to  support  decisions  that  are  useful  at 
this  level,”  Hutton  explains. 

What  could  statistics  used  for  strategic  de¬ 
cision  support  look  like  in  practice?  “Suppose 
you  model  that  your  organization  is  always 
up  against  an  advanced,  motivated  attacker. 
And  you  estimate  that  your  defenses  can  hold 
up  against  such  attacks  for  up  to  two  years- 
that  is,  every  two  years  you  will  be  unable  to 
resist  the  advanced  attacker-and  the  dollar 
impact  will  be  $1  million.  That  figure  is  based 
on  internal  interviews  who  concluded  that 
was  the  dollar  amount  in  jeopardy,”  Hutton 
explains.  Additionally,  analysis  showed  that  it 
would  cost  X  amount  to  be  able  to  reduce  the 
likelihood  of  a  successful  attack  to  once  every 
four  years.  “Now  the  executives  can  decide  to 
make  those  investments  or  not.” 

When  do  you  need  Monte  Carlo  simula¬ 
tions?  How  could  someone  estimate  how 
often  an  attacker  with  a  certain  skill  set  might 
be  successful  in  breaching  their  defenses?  One 
tool  is  the  Monte  Carlo  simulation,  in  which 
a  range  of  variables  are  fed  into  the  model 
and  a  forecast  is  returned.  The  variables  are  a 


range  of  the  analysts’  estimates. 

One  use  for  this  kind  of  tool  is  measuring 
the  impact  of  hurricanes  on  business  opera¬ 
tions  over  the  course  of  a  year  or  two.  “You 
know  there  will  be  a  certain  number  of  storms 
with  varying  intensities.  You  can  see  that  X 
number  of  Category  1  storms  occur  every  100 
years  and  X  number  of  Category  5  strike  in  the 
same  period,”  says  Jay  Jacobs,  vice  president 
of  the  Society  of  Information  Risk  Analysts. 
“You  assume  with  each  storm  you’d  lose  this 
range  of  money  in  this  area  from  lost  busi¬ 
ness  and  this  much  from  building  repair  costs, 
shipping  costs,  cancelled  orders.  The  analyst 

“[When  you  multiply 
ordinal  numbers,] 
you  don’t  know 
when  the  result  is 
wrong,  and  when 
it’s  wrong  you  don’t 
know  how  wrong.” 

-ALEX  HUTTON,  DIRECTOR  OF 
TECHNOLOGY  AND  OPERATIONS 
RISK,  ZIONS  BANCORP 

would  create  many  different  variables  about 
storm  strengths,  and  when  the  storms  hit- 
time  of  day,  week,  months-and  more.  The 
model  should  reveal  that  across  500  storms 
you  experience  an  average  loss  of  X,  with 
worst-case  being  N  and  best-case  being  Y. 

And  you’ll  have  a  better  idea  what  invest¬ 
ments  are  best  to  mitigate  hurricane-damage 
costs,”  Jacobs  explains. 

What  is  a  random  forest  model?  An¬ 
other  statistical  tool  at  the  risk  manager’s  dis¬ 
posal  is  the  random  forest,  which  is  a  model 
of  individual  decision  trees  that  change  as 
variables  are  fed  into  the  system.  “Random 
trees  are  a  stochastic,  meaning  they  depend 
on  random  inputs,  and  they’re  very  helpful  at 
creating  a  way  to  describe  complex  scenarios. 
You  have  five  options  and  you  answer  one  and 
each  answer  has  five  options  and  work  your 
way  down  these  decision  trees,”  says  Jacobs. 


Be  careful  with  ordinal  numbers.  It's 
easy  to  make  mistakes,  and  one  of  the  easiest 
to  make  is  multiplying  ordinal  numbers. 

“This  bad  practice  is  actually  pervasive  and 
very  simple,”  Hutton  says.  “It’s...multiplying 
the  ordinal  values  together  and  then  pretend¬ 
ing  like  something  useful  was  calculated.  One 
of  the  original  equations  we  are  taught  is  risk 
equals  threat  times  impact.  What  does  that 
really  mean?  How  much  greater  is  a  threat  7 
versus  a  threat  6?  It’s  like  asking  how  much 
more  you  like  one  baseball  team  over  another. 
The  distance  between  the  two  may  be  small, 
or  it  may  be  colossal.” 

“So  what  you  are  saying  when  you  multiply 
5  (threat)  times  7  (impact)  equals  35  (risk)  is 
that  your  risk  is  35.  That  result  may  be  kind  of 
right,  but  you  don’t  know  when  it’s  right.  And 
you  don’t  know  when  the  result  is  wrong,  and 
when  it’s  wrong  you  don’t  know  how  wrong,” 
says  Hutton. 

Analyze  your  assumptions.  Every  model 
is  built  on  a  set  of  assumptions.  “However,  if 
you  don’t  know  what  those  assumptions  are 
and  you  don’t  validate  them,  you  could  com¬ 
pletely  be  misapplying  the  statistics,”  warns 
Jacobs.  “It’s  not  that  assumptions  are  bad. 
They’re  not.  In  fact,  they  are  unavoidable.... 
The  the  trick  is  not  to  avoid  them  but  to  iden¬ 
tify  them  and  then  validate  them.” 

How  might  an  organization  measure  its 
risk  with  these  tools?  One  way,  says  Hutton, 
would  be  to  apply  a  Monte  Carlo  simulation. 
Create  a  distribution  of  attacker  skill  levels 
from  novice  to  advanced.  And  based  on  your 
organization’s  past,  you  can  see  the  attacker 
skill  distribution  you  face.  Next,  what  does 
your  resistance  look  like?  Let's  assume  you 
have  a  very  strong  management  program. 
“Now,  compare  those  two  distributions  to¬ 
gether  using  Monte  Carlo  simulations  and 
you  run  10,000  attack  simulations  against 
your  defense  distribution.  You  find  that  9,990 
times  in  those  simulations  you  are  able  to  de¬ 
feat  the  attacker’s  efforts,"  explains  Hutton. 

Next,  compare  those  successful  attacks 
to  how  often  you  get  attacked,  then  com¬ 
pare  that  to  a  likely  range  of  costs  for  those 
breaches.  This  gives  you  a  much  clearer  under¬ 
standing  of  your  organization's  risk. 
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Chief  security  officers  (CSOs)  know  that  securing  the 
enterprise  is  no  longer  about  planning  for  if  an  attack 
will  occur,  it's  a  question  of  when  -  and  how  prepared 
they  are  to  react.  The  challenge  for  many  CSOs  is 
deciding  how  to  allocate  investments  to  shore  up  each 
critical  element  of  the  security  ecosystem,  from  internal 
data  sources  out  to  the  network  boundaries. 


ONE  LESSON  IS  BECOMING  CLEAR:  AS  THE 
THREAT  MATRIX  GROWS  MORE  ADVANCED, 

IT  SECURITY  POLICIES  WILL  NEED  TO  ADAPT 
ACCORDINGLY.  PARTICULARLY  AT  LARGE 
ORGANIZATIONS,  CSOs  AND  THEIR  INFOSECU- 
RITY  TEAMS  ARE  DISCOVERING  THAT  SECURITY 
"COMMODITIES"  SUCH  AS  ANTIVIRUS  SOFT¬ 
WARE  AND  APPLICATION  FIREWALLS  ARE  NO 
LONGER  SUFFICIENT.  ORGANIZATIONS  NEED  TO 
LOOK  TOWARD  SOLUTIONS  THAT  PROVIDE  FAR 
BETTER  VISIBILITY  ACROSS  THE  ENTERPRISE. 


One  lesson  is  becoming  clear:  As  the  threat  matrix 
grows  more  advanced,  IT  security  policies  will  need 
to  adapt  accordingly.  Particularly  at  large  organizations, 
CSOs  and  their  infosecurity  teams  are  discovering  that 
security  "commodities"  such  as  antivirus  software 
and  application  firewalls  are  no  longer  sufficient. 
Organizations  need  to  look  toward  solutions  that 
provide  far  better  visibility  across  the  enterprise,  along 
with  more  sophisticated  analytical  capabilities  that  allow 
security  teams  to  anticipate  vulnerabilities  and  react 
quickly  to  threats. 


A  CSO  Market  Pulse  survey  finds  that  many  enter¬ 
prises  lack  these  types  of  advanced  security  technolo¬ 
gies.  Fewer  than  40%  have  deployed  advanced  solutions 
such  as  data  loss  prevention  (DLP),  security  analytics, 
forensics,  or  risk  mitigation.  Respondents  at  large  orga¬ 
nizations  (more  than  5,000  employees)  are  only  slightly 
more  likely  to  have  deployed  security  technologies. 

Fast-paced  changes  within  IT,  coupled  with  a  lack 
of  human  capital  from  an  already  thinly  stretched  IT 
workforce,  are  the  most  significant  barriers  to  meeting 
IT  security  objectives. 

"A  thinly  stretched  workforce  can  leave  gaps  in 
your  security  strategy,"  says  Mike  Mitchell,  director  of 
managed  services  with  Genesis  Networks.  "You  may 
have  a  knowledgeable  IT  staff,  but  if  they're  not  trained 
in  what  to  look  for,  they  might  miss  a  rising  threat." 

A  shortage  of  in-house  resources  dedicated  to 
information  security,  combined  with  constantly  evolving 
threats,  is  leading  more  organizations  to  consider 
managed  security  services.  More  than  half  of  the 
respondents  in  the  CSO  Market  Pulse  survey  say  their 
organization  is  likely  to  outsource  security  or  network 
assessments  over  the  next  12  months. 

CSOs  acknowledge  that  service  providers  can  fill 
some  of  the  security  skills  gaps  in  their  organizations. 
Nearly  two-thirds  of  survey  respondents  at  large  compa¬ 
nies  cite  access  to  specialized  skills  as  a  top  potential 
benefit  of  working  with  a  managed  service  provider  for 
IT  security.  Other  benefits  include  24/7  monitoring  capa¬ 
bilities,  reallocation  of  IT  resources  to  other  projects, 
and  improved  security  effectiveness. 

For  any  organization,  the  correct  approach  to  enter¬ 
prise  security  means  finding  the  right  balance  between 
risk  and  resources.  For  more  on  this  topic,  download 
the  CSO  Market  Pulse  report,  "Plugging  the  Gaps  in  Your 
Security  Strategy."  ■ 
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Businesses  Can’t  Afford  to  Ignore  Executive  Order 


PHIL  AGCAOILI,  CISO  WITH 
Cox  Communications,  wants 
everyone  to  know:  President 
Obama's  executive  order  on 
cybersecurity  will  lead  to  fast 
changes,  and  private  enterprise 
can’t  afford  to  ignore  it.  He  deliv¬ 
ered  the  message  at  CSO' s  Con¬ 
fab  in  Braselton,  Ga„  last  month. 

He  noted  that  there’s  elevated 
anxiety  in  the  public  and  private 
sectors  over  malware  designed 
to  attack  critical  infrastructure, 
including  Stuxnet,  Duqu,  Gauss, 
Mahdi,  Flame,  Wiper  and  Sham- 
oon.  He  explained  that  many  of 
the  everyday  devices  we  take  for 
granted-including  insulin  pumps, 
pacemakers  and  smart  TVs-con- 
tain  computers  vulnerable  to  at¬ 
tack,  and  added  that  some  much 
more  high-profile  machines  could 
also  be  vulnerable,  including  the 
military’s  fleet  of  drones. 

Meanwhile,  Agacoili  said,  all 


the  old  problems  remain,  includ¬ 
ing  phishing  attacks,  Windows 
and  other  OS  flaws,  app  secu¬ 
rity  holes  and  cloud  security 
vulnerabilities. 

The  government  has  reacted 
to  these  trends  with  several  pro¬ 
posed  bills,  none  of  which  are 
expected  to  go  anywhere.  Enter 
President  Obama  and  his  execu¬ 


tive  order.  This  October,  the  draft 
of  the  U.S.  Cybersecurity  Frame¬ 
work  will  come  out.  It  is  expected 
to  be  finalized  in  February  2014 
and  agencies  are  to  report  back 
in  three  years  on  their  progress. 

In  the  meantime  the  Depart¬ 
ment  of  Homeland  Security  will 
work  with  other  agencies  to  find 
some  incentives  that  will  entice 


the  private  sector  to  adopt  the 
new  standards  and  to  develop  a 
program  that  will  help  companies 
implement  the  framework. 

Here’s  how  the  White  House  is 
spinning  the  executive  order: 

“The  Executive  Order  strength¬ 
ens  the  U.S.  Government's  part¬ 
nership  with  critical  infrastructure 
owners  and  operators  to  address 
cyber  threats  through: 

■  “New  information  sharing 
programs  to  provide  both 
classified  and  unclassified 
threat  and  attack  informa¬ 
tion  to  U.S.  companies:  The 
Executive  Order  requires 
Federal  agencies  to  produce 
unclassified  reports  of  threats 
to  U.S.  companies  and  requires 
the  reports  to  be  shared  in  a 
timely  manner.  The  Order  also 
expands  the  Enhanced  Cy¬ 
bersecurity  Services  program, 
enabling  near  real  time  shar- 


BLOG  POST 


Two-Step  Verification  Wili  End  Consensual  Impersonation 


A  COUPLE  MONTHS  BACK,  I  ADVOCATED  KILLING  YOUR 
password  policies  and  using  other  techniques  to  make  passwords  more 
effective.  But  adding  factors  is  also  a  great  idea,  and  the  barriers  to 
doing  it  are  falling  fast. 

The  latest  big  company  to  get  into  the  act  is  Apple,  joining  Dropbox, 
Facebook,  Google,  World  of  Warcraft,  and  other  companies  that  man¬ 
age  valuable  consumer  information.  Apple  IDs  now  have  a  two-step 
verification  option,  meaning  that  users  can  enable  a  second  authenti¬ 
cation  factor  (which  makes  use  of  their  mobile  devices)  for  logging  in 
to  iCloud,  iTunes,  and  so  on. 

Although  some  banks  have  adopted  two-step  authentication,  most 
social  networks  and  e-commerce  sites  still  aren’t  forcing  consumers 
to  go  through  extra  login  steps— they  think  it  adds  too  much  friction. 
But  the  writing  is  on  the  wall.  What  was  once  anathema  is  going  to 


be  required  by  online  service  providers  and  accepted  by  users  within  a 
couple  of  years,  at  least  for  especially  sensitive  operations. 

There’s  a  side  benefit  that  password-only  authentication  has  given 
users  all  this  time,  though,  and  we’re  going  to  run  smack  into  a  prob¬ 
lem  when  it  goes  away:  consensual  impersonation.  When  you  share 
your  password  with  someone  else  so  they  can  do  stuff  in  your  account 
as  if  they  were  you,  that’s  consensual  impersonation.  For  example,  a 
dad  asks  his  kid  to  go  online  and  do  the  annual  school  soccer  sign-up 
on  the  dad’s  behalf,  or  even  (oh  dear)  girlfriends  and  boyfriends  shar¬ 
ing  email  and  Facebook  passwords  as  a  sign  of  affection  and  trust. 

If  your  service  demands  a  second  factor,  even  one  as  simple  as  a 
texted  one-time  password,  the  difficulty  of  sharing  access  to  an  ac¬ 
count  goes  way  up  unless  the  two  people  are  already  in  the  same  room 
with  their  mobile  devices  present.  IT  security  pros  are  typically  delight- 
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ing  of  cyber  threat  information 
to  assist  participating  critical 
infrastructure  companies  in  their 
cyber  protection  efforts. 

■  “The  development  of  a  Cyber¬ 
security  Framework:  The  Execu¬ 
tive  Order  directs  the  National 
Institute  of  Standards  and  Tech¬ 
nology  (NIST)  to  lead  the  de¬ 
velopment  of  a  framework  of 
cybersecurity  practices  to  reduce 
cyber  risks  to  critical  infrastruc¬ 
ture.  NIST  will  work  collabora- 
tively  with  industry  to  develop 
the  framework,  relying  on  ex¬ 
isting  international  standards, 
practices,  and  procedures  that 
have  proven  to  be  effective.  To 
enable  technical  innovation,  the 
Cybersecurity  Framework  will 
provide  guidance  that  is  tech¬ 
nology  neutral  and  that  enables 
critical  infrastructure  sectors  to 
benefit  from  a  competitive  mar¬ 
ket  for  products  and  services." 


CSO  has  spoken  to  infosec 
pros  who  remain  skeptical  that 
the  order  will  accomplish  much. 
Agcaoili  disagrees. 

“The  government  is  driving  this. 
We  [private  enterprise]  have  to 
take  a  swing  at  the  ball  or  we’ll 
miss  out,"  he  said  at  the  Confab. 
“This  is  huge.  It  isn’t  your  daddy’s 
regulation.” 

His  biggest  piece  of  advice:  Don’t 
assume  you’re  outside  the  scope  of 
the  new  rules  and  decline  to  par¬ 
ticipate  in  the  discussion,  because 
the  order  covers  a  wide  swath  of 
economic  activity  and  technology. 

“Security  is  everyone’s  respon¬ 
sibility,”  he  said.  “You  have  to  look 
at  what  your  company  does  that 
touches  other  sectors.  All  you  have 
to  ask  to  start  is  if  there’s  a  com¬ 
puter  in  it  and  does  it  connect  to 
the  Internet.  Think  of  what  you  do 
as  part  of  an  ecosystem.” 

-Bill  Brenner 


ed  to  do  away  with  employees’  option  for  consensual  impersonation, 
but  I  suspect  the  consumer  world  isn’t  quite  ready  for  widespread  two- 
step  verification  that  cuts  off  this  option.  (Not  that  Juliet  should  have 
been  giving  Romeo  her  password  anyway.) 

Online  apps  will  feel  pressure  to  solve  this  problem,  but  here’s  the 
right  way  to  do  it:  Make  it  easier  to  delegate  constrained  account  ac¬ 
cess  to  other  people.  We  don’t  have  good  solutions  for  secure  sharing 
of  access  in  online  apps  today.  In  fact,  the  ones  we  have  kind  of  stink, 
which  is  why  some  people  take  the  easy-if-insecure  way  out.  The  solu¬ 
tion  needs  to  be  friendly  and  functional,  and  it  needs  to  enable  revoca¬ 
tion,  so  that  at  least  Juliet  can  kick  Romeo  out  of  her  digital  life  as  well 
as  her  real  one  when  the  time  comes. 

This  problem  calls  out  for  the  Web  standard  I  work  on  in  my  copious 
spare  time,  user-managed  access  (UMA).  Once  enough  online  services 
demand  two-step  verification,  apps  will  need  to  enable  UMA  or  some¬ 
thing  like  it  just  to  give  people  back  the  feature  that  consensual  imper¬ 
sonation  used  to  “solve." 

-Eve  Maler,  Forrester  Research  blogger  for  CSOonline.com 
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Troublemakers  Are 
Your  Friend,  As  Long 
As  They’re  Creative 

ROGER  JOHNSTON,  HEAD  OF  ARGONNE  NATIONAL 
Laboratory's  vulnerability  assessment  team,  shared  some  cre¬ 
ative  tips  at  CSO’s  Confab  event  last  month.  His  first  piece  of 
advice:  Think  like  the  bad  guys,  and  be  creative  about  it. 
“Some  of  the  biggest  impediments  to  good  security  are  a 


“Assemble  your  own  team  of  people  with  a  hacker  mental¬ 
ity,”  he  said.  “You  need  the  hackers,  narcissists,  troublemakers, 
loophole  finders,  and  those  who  question  authority.” 

Creative  thinking  is  one  reason  the  laboratory  is  a  CS040 
winner  this  year,  and  it  has  helped  them  uncover  some  zany 
flaws.  I  remember  Johnston  giving  examples  at  the  2010  USE- 
NIX  Security  Symposium  in  Washington,  DC.  In  a  talk  called 
“Security  Blunders  Dumber  Than  Dog  Snot,”  he  mentioned: 

■  Security  cameras  that  mostly  fail  to  prevent  crime  be¬ 
cause  they  have  poor  resolution,  so  security  personnel  miss 
things. 

■  Electronic  voting  machines  that  can  be  easily  tampered 
with  on  the  voter’s  end.  Just  swap  four  wires  and  you  can 
switch  the  votes  for  two  candidates,  Johnston  said. 

■  Overlooked  insider  threats  that  are  usually  sparked  by  bad 
HR  policies.  “We’ve  seen  phony  or  nonexistent  grievance 
and  compliance  resolution  procedures,  no  constraints  on 
bully  bosses,  failure  to  manage  expectations...and  it  all 
contributes  to  the  problem." 

He  offered  this  bit  of  outside-the-box  thinking:  “You  should 
try  to  bribe  employees  and  contractors.  If  they’re  honest  and 
refuse  the  bribe,  let  them  keep  the  money  and  hail  them  pub¬ 
licly  for  their  honesty  and  integrity.” 

-Bill  Brenner 


lack  of  imagination,  cogni¬ 
tive  dissonance,  a  weak 
security  culture  and  poor 
insider  threat  mitigation.  If 
you’re  in  charge  of  security 
and  you’re  not  particu¬ 
larly  imaginative,  bring  in 
people  who  are.” 

Next,  he  said,  don’t 
let  the  good  guys  define 
the  problem.  Gleefully 
look  for  trouble.  Be  the 
fault-finders. 
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Drowning  in  Alphabet  Soup: 

When  Certifications  Don’t  Pay  Off 


It’s  always  good  to  be  able  to  show  your  knowledge,  but  having  more  abbreviations  after 
your  name  doesn’t  always  translate  into  cold,  hard  cash  by  lauren  gibbons  paul 


WHEN  IT  COMES  TO  EDUCATION, 
most  people  agree,  more  is  better.  No  one 
embodies  that  principle— at  least  as  it  relates 
to  IT  certifications-better  than  Jerry  Irvine, 
CIO  of  IT  consulting  firm  Prescient  Solutions 
and  member  of  the  National  Cyber  Security 
Task  Force.  Irvine  holds  more  than  20  IT  certi¬ 
fications,  of  which  at  least  six  are  specifically 
information  security-oriented. 

“I’ll  stop  getting  certifications  when  I’m 
dead,”  says  Irvine,  though  one  wonders  if  even 
that  will  dissuade  him.  Irvine  is  a  firm  believer 


in  the  notion  that  your  wallet  will  reflect  the 
value  of  certifications  in  general  and  security 
certifications  in  particular. 

“My  opinion  is  the  more  certified  you  are, 
the  more  marketable  you  are.  You  can  prove 
you  know  more  because  you  have  those  cer¬ 
tifications,”  says  Irvine.  “People  look  at  you 
and  say,  This  guy  really  does  know  his  stuff.’ 
That  gives  you  the  opportunity  to  make  more 
money.” 

Anyone  who  puts  in  the  time  and  spends 
the  money  to  get  certified  is  showing  they 


care  about  staying  current  with  security  trends 
and  techniques.  That  quality  makes  someone 
more  desirable  to  an  employer,  he  says. 

As  a  practical  matter,  many  of  today’s 
information  security  certifications  require  a 
hands-on  demonstration  of  skills,  such  as 
CompTIA’s  CASP  (Certified  Advanced  Security 
Professional),  which  requires  candidates  to 
configure  firewalls  and  routers  and  perform 
other  security-related  tasks  as  part  of  the 
test.  Passing  proves  to  a  potential  employer 
that  you  can  do  certain  things,  potentially  giv¬ 
ing  you  an  edge  over  those  who  do  not  hold 
the  certification. 

Some  jobs  require  applicants  to  get  a 
certain  security  certification-either  for  infor¬ 
mation  security  or  physical  security-before 
they  can  even  be  considered  for  the  position. 

In  that  case,  you  will  surely  know  if  there  is  a 
certification  you  need  to  obtain.  Beyond  that, 
however,  attaining  certifications  is  generally  a 
matter  of  personal  or  employer  choice.  Some 
certifications  require  a  great  deal  of  work  both 
in  and  out  of  the  classroom,  in  addition  to  sit¬ 
ting  for  the  test.  The  question:  Do  they  gener¬ 
ate  return  on  your  investment? 

Certifications  should  not  be  the  goal  so 
much  as  a  tool  you  can  use  to  further  your 
career,  says  Chris  Brenton,  an  instructor  at  the 
SANS  Institute  and  director  of  information 
security  for  CloudPassage,  a  cloud  security 
provider.  Brenton  has  been  conducting  certifi¬ 
cation  training  for  many  years  but,  surprising¬ 
ly,  does  not  hold  any  certifications  himself. 
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Certifications  are  one  way  to  prove 
what  you  know,  says  Brenton,  but  there 
are  other  ways,  especially  if  you’re  a 
good  communicator.  “It’s  how  much  do 
you  know  and  how  good  are  you  at  con¬ 
veying  what  you  know?"  he  says. 

As  someone  who  oversees  hiring 
security  professionals  for  his  company, 
Brenton  looks  for  experience  beyond 
certifications  that  show  the  job  candi¬ 
date  has  practical  skills.  For  example,  if 
the  candidate  created  a  piece  of  open- 
source  software  relating  to  security 
(such  as  for  vulnerability  scanning  or 
implementing  host-level  security),  that 
indicates  real-world  knowledge,  he  says. 

“If  the  candidate  has  an  active  blog 
or  has  written  a  book  about  security, 
that  tells  me  more  about  their  expertise 
than  just  looking  at  their  resume  with 
certifications,”  he  says.  In  that  case, 
holding  a  certification  would  prob¬ 
ably  not  result  in  the  candidate  getting 
a  higher  salary  offer.  However,  when 
weighing  two  candidates  without  any 
demonstrated  expertise,  certifications 
would  give  an  edge,  he  says. 

And  taking  a  class  or  obtaining  a 
certification  can  be  a  handy  way  to  fill 


show  you  have  training  and  understand 
the  issues.  That  said,  certifications  can 
quickly  become  outdated  as  technolo¬ 
gies  and  threats  morph  and  change.  A 
certification  that  emphasizes  perimeter 
security  skills,  for  example,  might  be 
perceived  as  less  valuable  now  than 
one  that  focuses  on  vulnerability  as¬ 
sessment  and  mitigation.  And  there  is 
sure  to  be  a  hot  new  certification  in  18 
months  to  two  years,  if  that  long. 

Those  who  obtain  one  security  cer¬ 
tification  may  feel  the  need  to  keep 
going  as  certifications  change  with  the 
times.  That  could  translate  to  more 
money  in  the  certification  provider’s 
wallet  than  yours.  This  is  less  true  when 
it  comes  to  physical  security  certifi¬ 
cations,  as  physical  security  threats 
arguably  do  not  change  as  quickly  as 
information  security  threats. 

Whether  security  certification  will 
earn  you  more,  now  or  in  the  future, 
depends  a  lot  on  the  organization,  the 
job  and  the  industry.  If  your  company 
values  continuing  education  (and  will 
help  foot  some  of  the  bill  for  the  train¬ 
ing),  that  is  a  good  indication  that  cer¬ 
tification  will  elevate  your  status.  If  not, 


“If  the  candidate  has  an  active 
blog  or  has  written  a  book  about 
security,  that  tells  me  more  about 
their  expertise  than  just  looking  at 
their  resume  with  certifications.” 

-CHRIS  BRENTON,  INSTRUCTOR,  SANS  INSTITUTE 


a  gap  in  your  expertise,  says  Brenton. 
“Let’s  say  they  understand  most  as¬ 
pects  of  network  security  but  there  are 
still  some  black-box  areas  where  they 
need  more  training.”  His  students  often 
come  for  certification  when  they  want 
to  switch  jobs  or  even  careers. 

The  world  of  threats-both  physi¬ 
cal  and  information-based-moves  so 
quickly  that  certification  is  a  way  to 


you  may  still  want  to  pursue  certifica¬ 
tion  if  you  are  a  person  like  Jerry  Irvine, 
for  whom  education  is  its  own  reward, 
or  you  need  to  build  up  your  resume  in 
anticipation  of  a  making  a  move. 

Irvine  stands  by  his  record.  “I  hire 
security  people.  I  look  for  certifica¬ 
tions.  Getting  certified  really  does  show 
something  about  a  person,”  he  says. 
“We  hire  people  with  certifications.” 


INDUSTRY  CHATTER  ON  TWITTER 

Every  time  you  allocate 
resources  for  tech 
risk  you’re  revealing  a 
minimum  estimate  of 
risk  within  that  scope. 

-Pete  Lindstrom  @SpireSec 


Vendor  email  with  mixed 
metaphors:  “When  it 
comes  to  the  cloud, 
are  you  fully  immersed 
or  behind  the  8-ball?” 
#DiscardToFilel3 

-Eric  Cowperthwaite 

@e_cowperthwaite 

At  some  point,  infosec 
lost  sight  of  KISS  and 
adopted  KICP  (keep 
it  complicated  and 
profitable):  subscription- 
based  security?  #QED 

-Dave  Piscitello  @securityskeptic 


I  look  forward  to  the  day 
when  the  ex-director  of  the 
NSA  can  give  a  speech  on 
cyber  and  not  make  jokes 
about  grandkids  teaching 
him  how  to  use  an  iPad. 

-Christopher  Soghoian  @csoghoian 
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Executive  Protection:  4  Keys  for  Safe  Travel 


AS  I  WRITE,  AN  AUSTRIAN  CITIZEN  IS 
being  held  captive  in  Yemen,  an  attack  on  the 
In  Amenas  gas  complex  in  Algeria  has  killed 
at  least  37  hostages  including  three  Ameri¬ 
cans,  and  reports  suggest  homicides  in  Mexico 
are  on  the  rise. 

It's  an  unsafe  world.  Travelers  in  general 
and  high-profile  executives  in  particular  are 
being  targeted  for  abductions  and  assassina¬ 
tions  by  criminals  who  want  to  make  political 
statements  or  collect  a  quick  payout. 

Yet  our  global  economy  and  interconnected 
culture  leaves  little  choice  but  for  many  ex¬ 
ecutives  but  to  travel  more  than  ever  before. 
And  often  those  executive  trips  are  to  areas 
that  are  less  than  stable.  This  poses  risks  that 
often  become  the  responsibility  of  the  organi¬ 
zation’s  CSO  to  address  and  mitigate. 

There  are  a  number  of  things  CSOs  can  do 
to  assure  the  safety  of  their  organization’s  ex¬ 
ecutives.  The  easiest,  and  often  most  cost-ef¬ 
fective  and  efficient,  is  subcontracting-hiring 
a  company  that  specializes  in  international 
and  high-risk  security.  This  is  smart  because 
most  organizations  have  excellent  security 
in-house,  but  those  tactics  don’t  necessarily 
translate  into  appropriate  security  abroad. 

But  for  those  determined  to  provide  their 
own  security  to  overseas  executives,  here  are 
five  important  techniques  and  risks  to  factor 
into  the  planning: 

Advance  work.  Safety  begins  with  proper 
planning.  It’s  generally  agreed  that  in  order  for 
an  attack  to  take  place  three  conditions  must 
exist:  capability,  motivation  and  opportunity. 
There  is  little  we  can  do  about  a  potential  at¬ 
tacker’s  capabilities  and  motivation,  but  what 
we  can  and  should  address  is  the  opportu¬ 
nity.  By  minimizing  the  opportunity,  a  security 
specialist  can  greatly  minimize  the  chances  of 
an  attack. 

The  advance  work  should  examine  the 
safety  of  every  aspect  of  the  trip,  including 
travel  arrangements,  lodgings  and  routes,  and 
should  handle  obtaining  vehicles,  securing 
permits  and  planning  communication,  and 


should  also  manage  mundane  tasks  such  as 
assuring  that  medical  records  are  in  order  (are 
shots  and  vaccination  needed,  for  example), 
visas  and  passports  are  current,  and  all  infor¬ 
mation  is  secure  and  details  do  not  leak  out. 

Contacting  local  agencies  and  government 
offices,  such  as  the  State  Department  and 
embassies,  adds  another  layer  of  security. 

Choosing  the  detail.  Don’t  underestimate 
the  importance  of  using  specialized  security 
officers,  drivers  and  support  staff  that  speak 
the  local  language,  know  the  culture,  and  can 
provide  excellent  security.  The  best  planning 
is  worthless  if  execution  lacks  professionalism 
and  the  means  to  enforce  the  plan. 

Training.  The  CSO’s  responsibilities  don’t 
stop  at  surrounding  traveling  executives  with 
protective  measures.  You  must  also  train  the 
executives  themselves,  teaching  them  how  to 
remain  safe,  what  the  emergency  procedures 
are,  what  to  expect  from  the  security  detail, 
and  what  the  protocols  are  for  situations  they 
may  encounter,  all  of  which  can  be  a  tremen¬ 
dous  asset  in  an  emergency. 

Some  CSO  are  even  teaching  executives 
basic  SERE  (survival,  escape,  resistance  and 
evasion)  skills.  These  skills  can  mean  the  dif¬ 
ference  between  surviving  a  violent  encounter 
and  becoming  a  victim. 


Soldiers  stand  guard  at  the  Tiguentourine 
Gas  Plant  in  In  Amenas,  Algieria,  which 
was  beseiged  by  militants  in  January. 

Many  executives  are  seeking  out  this  type 
of  training  on  their  own  these  days.  Having 
the  CSO  support  this  kind  of  training  and  eval¬ 
uate  the  programs  that  offer  it  can  further 
enhance  the  relationship  between  the  execu¬ 
tive  and  the  CSO. 

Kidnap  and  ransom.  Kidnap  and  ransom 
is  a  threat  that’s  unique  to  high-risk  travel  and 
should  be  discussed  whenever  an  executive 
is  planning  a  trip  to  an  unstable  area.  Don't 
think  so?  Just  ask  insurance  agencies,  many  of 
which  now  offer  specialized  insurance  policies 
for  precisely  this  possibility.  Unfortunately,  not 
enough  executives  take  advantage  of  it,  leav¬ 
ing  them  exposed  and  greatly  increasing  the 
risks  that  come  with  a  kidnap-and-ransom 
situation. 

This  service  should  be  discussed  in  depth 
with  the  CSO.  Even  if  it  seems  unlikely,  it  is  a 
situation  for  which  you  must  prepare.  Just  ask 
the  Austrian  now  being  held  captive  in  Yemen. 


■  BK  Blankchtein  is  the  owner  and  chief 
instructor  at  Masada  Tactical,  a  provider  of 
high-risk  security  services. 
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Adapting  to  a  World  Where  Malware  Is  Political 


IN  MY  OPINION  PIECE  IN  THE  MARCH  ISSUE  OF  CSO,  I 
talked  about  how  the  Shamoon  virus  attack  on  Saudi  oil  firm  Aramco 
signaled  the  start  of  an  insidious  new  wave  of  malware.  Instead  of 
quietly  siphoning  off  data  and  intellectual  property  for  financial  gain, 
Shamoon  and  others  like  it  aim  to  publicly  cripple  businesses  in  the 
name  of  geopolitical  score-settling-which  makes  them  far  more  dan¬ 
gerous  and  difficult  to  thwart. 

The  good  news?  More  than  98  percent  of  businesses  today  will  not 
be  caught  in  the  crosshairs  of  politically-motivated  attackers.  Unless 
you  are  charged  with  running  the  main  economic  engine  of  your  coun¬ 
try  (for  example,  you  work  at  a  high-profile  bank,  utility  or  defense  con¬ 
tractor),  chances  are  these  types 
of  attacks  are  not  targeting  you. 

The  bad  news?  Those  busi¬ 
nesses  that  fall  within  that  tar¬ 
geted  2  percent  face  a  difficult, 
time-consuming,  expensive  and 
risk-laden  project  as  they  work 

to  harden  their  defenses  and  ^  , 

build  practical  survival  strategies. 

Since  the  attackers  simply  seek  to 
topple  their  targets  in  the  fastest, 
most  efficient  manner  possible, 
traditional  crown-jewel-focused 
defenses  won’t  cut  it.  Instead, 

IANS  clients  are  finding  they  must 
address  the  new  threat  both  strategically  and  tactically. 

"Strategically,  the  first  step  is  to  find  where  the  failure-resistant 
systems  live,”  advises  IANS  faculty  member  Marcus  Ranum.  “Those  are 
the  processes  and  systems  the  organization  has  already  deemed  valu¬ 
able  and  business-critical."  From  there,  it’s  a  process  of  discovering  and 
ruling  out  any  critical  single  points  of  failure.  “Say  you  have  a  mirrored 
server  in  a  redundant  data  center.  Work  your  way  forward  and  back 
within  the  system  until  you  find  the  single  point  of  failure.  Does  that 
data  center  run  off  a  single  generator?  Do  those  redundant  links  flow 
through  a  single  gateway?" 

Ranum  also  recommends  firms  square  off  their  different  architec¬ 
ture  teams  against  one  another  and  charge  them  with  uncovering  de¬ 
sign  flaws.  “True,  that's  a  nightmare  from  an  HR  standpoint,  but  having 
your  ops  teams  vet  your  network  designs  and  vice  versa  is  the  fastest 
way  to  uncover  these  issues.” 

From  a  tactical  standpoint,  many  IANS  clients  are  focusing  equally 
on  preventing  initial  delivery  of  the  malware  (implementing  whitelist¬ 
ing  and  reputation-based  tools)  and  eliminating  lateral  movement 
once  an  attack  makes  it  inside  (via  data-loss  prevention  or  sandboxing 
and  malware-analysis  tools).  Aligning  these  tools  with  Lockheed’s  kill 


This  offshore  oil  rig 
belongs  to  Saudi  Aramco, 
which  was  crippled 
by  a  virus  last  year. 


chain  methodology  is  a  primary  strategy.  Lockheed’s  methodology  lists 
the  six  main  steps  every  attacker  takes  to  infiltrate  an  environment: 
reconnaissance,  weaponization,  delivery,  exploitation,  installation  and 
command-and-control.  If  you  thwart  just  one  step  you  may  end  an  at¬ 
tack,  but  thwarting  several  makes  you  resilient. 

Others  are  looking  to  augment  their  current  signature-based  tool 
set-such  as  antivirus  software  and  intrusion  detection  and  prevention 
systems-with  flow-based  tools.  Monitoring  packet  flows  across  the 
network  using  a  tool  like  Cisco’s  NetFlow  not  only  alerts  you  to  anoma¬ 
lies  faster,  it  also  signals  an  attack’s  scale,  enabling  security  teams  to 
identify  these  types  of  attacks  before  they  wreak  havoc. 

Still  others  are  reconsider¬ 
ing  their  flat  network  architec¬ 
tures.  “Network  segmentation 
is  another  major  component  of 
locking  down  the  environment 
effectively,”  says  IANS  lead  fac¬ 
ulty  Dave  Shackleford.  “Creating 
effective  quarantine  zones  that 
only  offer  specific  services  and 
allow  very  limited  communica¬ 
tions  inbound  and  outbound  can 
more  readily  make  anomalous 
traffic  stand  out.” 

Unfortunately,  traditional  tac¬ 
tics  like  implementing  vulnerabil¬ 
ity  scanning  techniques  may  not  prove  as  helpful  in  detecting  systems 
susceptible  to  these  sophisticated  attacks.  “The  threat  of  zero-day  ex¬ 
ploits  is  real,  and  there’s  no  prescribed  way  to  prepare  for  and  prevent 
them  entirely,”  Shackleford  says.  “One  technique  that  is  getting  some 
attention  today  is  virtualization  isolation  and  encapsulation  of  end¬ 
points,  with  vendors  like  Bromium  leading  the  charge.  However,  many 
industrial  control  systems  may  not  have  the  proper  hardware,  OS  level 
or  stability,  for  that  matter,  to  support  this.” 

In  other  words,  preparing  for  the  post-Shamoon  world  is  no  easy 
task.  It  requires  a  major  defense  strategy  rethink  and  the  smart  reallo¬ 
cation  of  tactical  security  resources  and  investments. 

Before  beginning  this  arduous  undertaking,  enterprises  must  assess 
their  overall  public  profile  to  determine  the  likelihood  that  such  an  at¬ 
tack  will  target  them.  For  most  organizations  today,  the  answer  will  be 
“no,"  and  they  can  continue  to  pursue  more  traditional  defense  strate¬ 
gies.  But  for  those  that  fall  into  the  unlucky  2  percent,  now  is  the  time 
to  take  the  threat  seriously  and  get  to  work. 


■  Phil  Gardner  is  the  co-founder  and  CEO  of  IANS,  a  security  consul¬ 
tancy  and  research  firm. 
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Ten  Tips  for  the 
Metrics-Minded 
Organization 

by  Joe  Gottlieb 


Ssensage 

a  KEYW  company 


Adoption  of  a  New  “Science”  Drives 
Advanced  Security  Intelligence 

In  addition  to  an  organization-wide 
commitment  to  an  analytical  approach  to 
security,  there  are  several  things  to  keep 
in  mind  as  you  venture  into  a  metrics 
initiative.  Start  with  the  ten  tips  below 
which  provide  a  starting  point  for  any 
IT  organization  who  wants  to  make  sure 
they  are  on  the  right  path. 

1.  Enroll  stakeholders  as  early  as  possible. 

As  early  as  possible,  gather  a  cross-functional 
team  of  metrics-minded  individuals  to  build 
out  the  plan  around  collecting,  analyzing, 
reporting,  interpreting  and  responding  to 
security  intelligence. 

2.  Define  your  event  system  of  record.  You 

need  a  central  collection  point  that  everyone 
agrees  houses  data  they  trust.  It  will  help 
create  confidence  in  the  data  and  credibility 
in  the  results. 

3.  Make  user  and  asset  directories  a  critical 
foundation  for  security  intelligence.  Identity 
and  asset  management  systems  help  define 
the  categorizations  for  user-specific  metrics, 
so  understand  their  accuracy,  their  ongoing 
refresh  cycles  and  the  user-specific  “coverage” 
you  are  achieving  in  your  measurement  efforts. 

4.  Use  your  IT/Service  catalog  to  guide  your 
metrics.  Our  recommendation  is  that  you 
look  at  security  policies  or  service  level 
agreements — those  will  give  you  a  great  set  of 
areas  to  contemplate  building  metrics  around. 

5.  Land,  then  expand.  Establish  basic 
measurements,  understand  them,  then  expand. 

Start  somewhere...  anywhere... to  establish 
a  metric  and  then  work  to  make  that  metric 
useful  or  replace  it  with  a  better  one  that  you’ve 
discovered  in  the  process. 

There  is  much  we  are  learning  every  day  when  it  comes  to  security  intelligence,  and  to  evolve, 
we  must  adopt  new  disciplines  around  metrics  management  and  continuous  improvement.  We 
applaud  practitioners  who  are  breaking  new  ground  with  the  “science  of  security”  and  building 
defenses  that  are  built  around  a  systematic  inspection  of  their  landscape.  To  get  the  complete  article, 
visitwww.sensage.com/content/solutions. 

If  you  would  like  to  learn  how  proactive  security  teams  leverage  Sensage  to  enhance  their  visibility 
into  security  and  compliance  operations  while  reducing  their  costs  and  risk,  please  contact  us  for  a 
demo  at  http://www.sensage.com/contact. 


6.  Be  consistent  or  die.  Don’t  spend  a  month 
on  analysis  then  move  on  if  nothing  pops  up. 
Maintaining  consistent  vigilance  is  the  key  to 
spotting  trends  or  variances. 

7.  Be  ready  to  change.  Be  intellectually  honest 
when  you  make  new  discoveries,  particularly 
if  they  show  a  need  to  change  an  established 
rule,  alert  or  policy. 

8.  Engage  experts  and  ignite  managers. 

As  you  think  about  what  data  to  analyze, 
solicit  input  from  teams  who  know  the 
systems,  devices,  people  or  information 
associated  with  all  areas  of  infrastructure. 
They  may  shed  light  on  interdependencies 
or  relationships  that  are  critical  to  better 
metric  definition. 

9.  Test  yourself.  Conduct  a  Metrics  Penetration 
Test  (MPT),  literally  testing  that  the  analytics 
you  have  established  will  “catch”  the  behaviors 
you  are  trying  to  isolate. 

10.  Innovate  with  new  technologies  but 
prune  as  you  go.  Defense  in  depth  is  a  proven 
strategy  but  it  can  also  lead  to  technology 
bloat,  a  false  sense  of  protection  and — in 
many  cases — open  doors  for  attacks. 

Examine  your  digital  exhaust  to  identify 
devices,  systems,  applications  and  tools  that 
are  dormant  or  redundant. 
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Cover  Story 


Experts  say  large-scale  security 
analytics  can  cut  through  the 
noise  to  find  key  intelligence. 
But  it  takes  expertise  to  use  it 
effectively-and  legally. 

BY  TAYLOR  ARMERDING 


RITISH  TELECOM  HAD  A  PROB- 
lem:  The  company  was  suffering  a  series 
of  security  breaches — the  physical,  not 
cyber,  kind.  Thieves  were  stealing  the 
company’s  underground  copper  cable. 
Obviously,  for  a  service  provider  like 
BT,  the  problem  was  not  just  about  the  cost  of  re¬ 
placing  the  cable.  It  was  also  about  customer  rela¬ 
tions.  “It  was  damaging  the  brand,”  says  Bryan  Fite, 
BT’s  security  and  mobility  portfolio  manager  for 
the  U.S.  and  Canada,  noting  that  every  time  there 
was  a  theft,  customers  lost  service.  A  report  in  The 
Register  said  metal  theft  was  costing  taxpayers 
£700  million  (U.S.  $1.07  billion)  per  year. 

This  theft  did  not  involve  data.  But  it  was  data 
that  solved  the  problem — big-data  analytics.  Fite 


says  BT  had  effective  tools  to  investigate  the  crimes, 
but  it  wasn’t  using  them  to  full  advantage.  It  had 
multiple  sensor  networks  that  could  tell  when  peo¬ 
ple  were  on  tracks  or  cables,  a  fault  system  to  tell 
when  a  cable  was  cut,  and  closed-circuit  TV  moni¬ 
tors  displaying  any  activity.  “But  all  those  were  iso¬ 
lated,  standalone,”  he  says. 

Adopting  big-data  tools  “allowed  us  to  throw 
all  that  into  an  analytics  engine.  We  did,  and  [law 
enforcement]  busted  a  lot  of  the  rings.”  In  one  of 
those  cases,  two  men  were  sentenced  in  February 
to  16  months  in  jail  after  they  admitted  to  stealing 
hundreds  of  yards  of  copper  cable. 

Big-data  analytics  were  also  at  play  in  the  recent 
conviction  of  two  Steubenville,  Ohio,  high-school 
football  players  who  raped  a  16-year-old  girl.  Rich- 
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ard  A.  Oppel  Jr.,  writing  in  the  New  York 
Times,  noted  that,  “The  verdict  came 
after  four  days  of  testimony  that  was 
notable  for  how  Ohio  prosecutors  and 
criminal  forensics  investigators  ana¬ 
lyzed  hundreds  of  text  messages  from 
more  than  a  dozen  cellphones  and 
created  something  like  a  real-time  ac¬ 
counting  of  the  events  surrounding  the 
incident  and  aftermath.”  Would  you  say 
that  is  really  big  data?  Hundreds  of  cell¬ 
phone  texts  is  not  a  huge  volume  of  info. 

While  hundreds  of  text  messages 
do  not  amount  to  big  data  in  terms  of 
volume,  the  analytics  do.  Drawing  con¬ 
nections  between  otherwise  disparate 
data  points  was  not  being  done  even  a 
few  years  ago. 

Indeed,  big  data  has  revolutionized 
marketing  and  business  operations, 
so  it  makes  sense  that  it  is  also  revo¬ 


lutionizing  investigations,  which  are, 
after  all,  about  collecting  and  analyz¬ 
ing  information.  Big-data  analytics 
should  make  police  work  faster,  easier 
and  more  accurate,  right? 

Perhaps,  but  with  some  caveats.  Big 
data  offers  big  opportunities  to  im¬ 
prove  investigations,  according  to  nu¬ 
merous  CSOs  and  CISOs,  but  they  say 
it  also  brings  new  responsibilities  and 
big  risks.  As  is  often  the  case,  technolo¬ 
gy  tends  to  outrace  the  ability  of  people 
and  systems  to  manage  and  control  it, 
and  the  ability  of  government  to  regu¬ 
late  it  effectively. 

Risks  You  Don’t  See  Coming 

Kim  Jones,  senior  vice  president  and 
CSO  of  Vantiv,  a  payment  processing 
firm,  welcomes  the  ability  to  access, 
aggregate  and  analyze  much  more  in¬ 


formation,  saying  the  new  tools  should 
allow  him  to  “walk  through  the  details 
of  an  incident  with  greater  clarity  and 
certainty  than  in  past,  and  more  quick¬ 
ly.  I  believe  those  opportunities  exist, 
and  the  tool  sets  are  available  to  make 
them  happen.” 

But  his  enthusiasm  is  tempered  by 
the  reality  that  sets  of  data  that  used 
to  be  segregated  can,  when  combined 
and  aggregated,  “create  security,  pri¬ 
vacy  and  regulatory  problems  within 
our  environment.  Individually,  items 
are  fine,  but  when  they’re  aggregated, 
they’re  not,”  Jones  says. 

For  example,  different  pieces  of  data 
about  a  person  are  contained  in  mul¬ 
tiple  databases  that  are  meant  to  be 
kept  separate.  “But  if  I  have  one  per¬ 
son  who  has  authorization  for  all  of  that 
data,  and  can  pull  it  into  an  aggregator, 
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IBM  says  that  every  day, 
people  “create  2.5  quintillion 
bytes  of  data— so  much  that 
90  percent  of  the  data  in  the 
world  today  has  been  created 
in  the  last  two  years  alone.” 


I  may  create  a  scenario  where  I  have 
data  that  is  more  sensitive  than  the  in¬ 
dividual  parts,”  he  says.  “HIPAA  talks 
about  this,  where  data  separate  is  not 
[personally  identifiable  information], 
but  when  you  pull  it  together,  it  is.” 

“I  believe  95  percent  of  the  compa¬ 
nies  out  there  are  not  up  to  speed  on 
that,”  Jones  says.  Not  that  big  data  is 
the  newest  buzzword  on  the  block.  It 
has  been  widely  covered  in  the  main¬ 
stream  media  for  its  marketing  value. 
It  has  even  reached  the  point  where 
Svetlana  Sicular,  research  director  at 
Gartner,  wrote  in  a  recent  blog  post  that 
according  to  the  Gartner  Hype  Cycle 
curve,  big  data  has  passed  the  “peak  of 
inflated  expectations”  and  fallen  into 
the  “trough  of  disillusionment.” 

This,  she  hastened  to  add,  does  not 
mean  big  data  is  obsolete  or  even  that 
it’s  declining  in  relevance,  only  that 
users’  opinions  are  “maturing”  to  be¬ 
come  a  more  realistic  reflection  of  big 
data’s  value.  But  when  it  comes  to  priva¬ 
cy  and  security,  there  is  general  agree¬ 
ment  that  enterprises  and  government 
regulators  still  have  a  ways  to  go  before 
their  controls  achieve  maturity. 

So  far,  big  data  is  not  a  major  tool, 
at  least  directly,  of  the  federal  Depart¬ 
ment  of  Health  and  Human  Service’s 
Office  of  Civil  Rights  (OCR),  which  in¬ 
vestigates  alleged  violations  of  HIPAA. 

OCR  Director  Leon  Rodriguez  says 
the  role  of  his  agency  is  to  take  more 
of  a  macro  look  at  how  breaches  occur 
and  what  kind  of  risks  and  vulnerabili¬ 
ties  led  to  them,  rather  than  crunch  and 
analyze  large  amounts  of  data. 

Who’s  Responsible? 

Keeping  big-data  analytics  in  comlpi- 
ance  with  regulations,  Rodriguez  says, 
is  the  responsibility  of  medical  provid¬ 
ers  and  their  business  associates  who 
store  and  handle  protected  health  in¬ 
formation.  They  are  required  to  use 
certain  safeguards  to  protect  that  infor¬ 
mation,  and  to  report  breaches  of  500 
or  more  records  to  HHS  and  the  media. 


In  the  past,  Rodriguez  says,  the  main 
sources  of  information  about  viola¬ 
tions  were  patients.  “But  they  only  have 
pinhole  view  of  what’s  going  on.  What’s 
changed  is  that  we  are  now  getting 
large-scale  breach  reports  involving 
millions  of  records.  We  were  never  in 
that  environment  before.  But  it  is  good, 
because  it  comes  at  a  time  when  more 
and  more  health  data  is  being  stored 
electronically  and  aggregated.” 

Rodriguez  says  his  agency  needs  the 
technical  capacity  to  understand  what 
health  providers  and  data  custodians 
are  doing,  but  “we’re  really  looking  at 
your  business  process  rather  than  what 
was  in  that  data  that  was  breached.” 

Still,  even  if  some  of  the  initial  hype 
was  overdone,  big  data’s  value  contin¬ 
ues  to  grow. 

What  was  considered  big  two  years 
ago  would  now  be  considered  medium, 
and  in  a  few  more  years  will  seem  rela¬ 
tively  insignificant.  IBM  says  that  every 
day,  people  “create  2.5  quintillion  bytes 
of  data — so  much  that  9  o  percent  of  the 
data  in  the  world  today  has  been  cre¬ 
ated  in  the  last  two  years  alone.” 

Todd  Marlin,  writing  on  Ernst  and 
Young’s  Forensic  Brief  blog,  said, 
“Today,  an  hour’s  worth  of  business  for 
a  typical  big-box  retail  chain  can  create 
millions  of  transactional  records.  The 
entirety  of  data  from  the  private  sector 
doubles  every  14  months.... 

“Consider  that  when  your  organiza¬ 
tion  leaves  the  league  of  petabytes  in 
storage  and  moves  to  exabytes  (that’s 


about  one  thousand  petabytes),  you  are 
then  working  at  an  organization  that 
stores  more  data  than  the  entirety  of 
human  civilization  until  about  20  years 
ago,”  he  wrote. 

Data  From  Everywhere 

It  is  not  just  a  lot  more  of  the  same  data 
that  has  been  collected  for  generations 
either.  It  comes  from  sources  that  did 
not  exist  even  a  decade  ago:  sensors  in 
smart  cars,  smart  appliances,  Internet- 
enabled  TVs,  weather  stations,  smart 
utility  meters,  healthcare  biosensors, 
HVAC  monitors,  traffic  sensors,  social 
media,  geotagging,  cell  phone  GPS  sig¬ 
nals,  and  more. 

There  are  tool  sets — some  of  them 
open-source,  like  Apache  Hadoop— 
that  can  gather,  share  and  analyze  the 
constant  rush  of  structured  and  un¬ 
structured  data  flowing  through  net¬ 
works.  They  offer  speed  and  the  ability 
to  draw  connections  among  seemingly 
random,  unstructured  sets  of  data. 

Accessing  and  analyzing  all  that  data 
leads  to  intelligence.  Jones,  the  Vantiv 
CSO,  likes  to  talk  about  the  differences 
between  data,  information  and  intelli¬ 
gence.  One  of  his  favorite  examples  is 
a  seemingly  random  1 0- digit  number. 

“Maybe  it’s  just  a  number  in  excess 
of  three  billion,”  he  says.  “Maybe  it’s 
an  overseas  telephone  number.  Maybe 
it’s  a  10-digit  barcode  of  something. 
Or  maybe  it  breaks  down  to  a  U.S. 
telephone  number,  which  in  this  case 
is  what  it  is. 
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“If  I  add  that  to  other  pieces  of  infor¬ 
mation  that  may  exist  out  there,  such 
as  the  first  three  numbers— 301 — being 
the  area  code  for  Maryland  and  the  fact 
that  I  used  to  live  in  Maryland  back  in 
the  late  ’90s,  you  might  be  able  to  do 
some  predictive  analysis  and  extrapo¬ 
late  that  this  is  my  old  phone  number.” 

Bob  Rudis,  director  of  enterprise 
information  security  and  risk  manage¬ 
ment  at  Liberty  Mutual,  bristles  at  “big 
data,”  which  he  thinks  is  a  buzzword — 
he  prefers  “large-scale,  aggregated  se¬ 
curity  analytics” — but  he  says  he  does 
see  organizations,  “including  the  one 
I  work  for,  embracing  the  potential  of 
the  advancements  in  security-oriented 
data  analytics  to  help  speed  up  and  gen¬ 
erally  improve  forensic  investigations. 

“Something  that  may  have  taken  an 
organization  a  few  hours  or  days  to  get 
intelligence  on  can  take  minutes  with 
the  right  people,  processes  and  tech¬ 
nology,”  he  says. 

Rudis  says  Liberty  Mutual  is  also 
“part  of  a  regional,  cross-sector  group 
that  is  working  to  develop  a  way  for 
member  organizations  to  share  their 
security-oriented  data  into  one  large 
system  that  would  then  be  able  to  do 
very  large-scale  analytics  across  orga¬ 
nizations  for  one  purpose — being  able 
to  share  known  attack  indicators  as 
well  as  see  if  there  are  already  indica¬ 
tors  on  those  networks.” 

Eddie  Schwartz,  CISO  at  RSA,  says 
big  data  turns  the  traditional  model  of 
investigating  and  defending  against  at¬ 
tacks  on  a  network  on  its  head  by  add¬ 
ing  new  content,  context  and  analytic 
methods. 

Schwartz  says  big  data  allows  a  pre¬ 
dictive  and  proactive  model  that  can 
identify  or  even  anticipate  attacks  by 
focusing  on  the  entire  operation  of  a 
business,  including  transactions.  It 
also  helps  insurance  companies  like 


Big  data  played  a  significant  role  in  the 
rape  conviction  of  Steubenville  teenagers 
Trent  Mays  (left)  and  Ma’lik  Richmond. 


his,  because  now  when  they  investi¬ 
gate  an  accident  they  can  combine 
data  from  automobile  sensors  with 
weather  readings  and  traffic  data  to  get 
a  better  understanding  of  the  condi¬ 
tions  surrounding  the  incident  that  led 
to  a  claim. 

You  Need  More  Than  Data 

But  those  investigative  advantages 
come  with  more  demands  and  a  new 
set  of  risks. 

Simply  having  the  technology 
doesn’t  guarantee  effective  use  of  big 
data.  Stefen  Smith,  CSO  at  Secure- 
Force,  agrees  with  Jones  that  most  en¬ 
terprises  are  not  up  to  speed  when  it 
comes  to  big-data  analytics. 

The  tools  now  available,  which  be¬ 
sides  Hadoop  include  EMC’s  Green- 
plum,  Teradata,  HP’s  Vertica  and 
Palantir,  offer  plenty  of  value,  he  says, 
but  need  a  lot  of  human  expertise  to  use 
effectively,  since  they  are  all  focused  on 
different  areas. 


“To  find  data  related  to  an  insider 
threat  or  regulatory  compliance,  things 
have  to  be  configured  to  find  what’s  im¬ 
portant  to  the  organization,”  he  says. 
“Until  somebody  is  able  to  deploy  these 
disparate  technologies,  it’s  going  to 
be  tough  for  organizations  to  achieve 
success.” 

One  vendor,  Smith  says,  has  an  “awe¬ 
some  suite,”  but  on  its  website  makes 
the  point  that  it  needs  the  expertise 
of  data  scientists.  “So  you’re  talking 
about  needing  people  with  advanced 
degrees  who  know  how  to  find  patterns 
and  look  for  it  and  organize  it.” 

Rudis  agrees.  “It’s  not  really  about 
the  tools,”  he  says.  “It’s  about  the  peo¬ 
ple  and  processes.” 

No  big-data  project  can  succeed 
without  the  backing  (including  money 
and  policy  directives)  of  senior  man¬ 
agement,  smart  security  people  who 
know  what  questions  to  ask,  smart  data 
analytics  people  who  know  how  to  ask 
those  questions,  and  solid  governance 
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The  almost  magical  ability 
of  big-data  analytics  to 
draw  connections  between 
seemingly  random  bits 
of  data  can  be  both  a 
blessing  and  a  curse. 


and  maintenance  models  that  ensure 
tools  and  processes  are  kept  up-to-date. 

“All  that,”  Rudis  says,  “plus  storage- 
lots  and  lots  of  storage. 

BT’s  Fite  emphasizes  the  human  ele¬ 
ment  as  well.  “Big  data  doesn’t  work 
if  you  don’t  have  humans  handling  it. 
You  can’t  buy  technology  and  get  rid 
of  humans.” 

Then  there  are  the  risks  and  respon¬ 
sibilities.  The  fact  that  the  tools  are 
available  to  aggregate  and  analyze 
big  data  means  regulators  and  the 
courts  increasingly  expect  those  in¬ 
volved  in  discovery  proceedings  to 
make  use  of  them. 

Heather  Clancy,  writing  on  Smart 
Planet,  noted  that,  “analytics  and  big 
data  technology  is  making  e-discovery 
software  smarter,  helping  legal  de¬ 
partments  avoid  costly  fines  associ¬ 
ated  with  failing  to  produce  all  relevant 
documents  related  to  lawsuits  or  other 
government  investigations.” 

But  failure  to  use  it,  she  wrote,  “can 
also  be  a  huge  liability.  Consider  the 
2008  case  of  Qualcomm  and  Broad¬ 
com,  which  were  embroiled  in  a  patent 
dispute.  Along  the  way,  things  got  ugly 
when  the  judge  fined  Qualcomm  $8.5 
million  for  withholding  evidence.” 

In  law-enforcement  investigations, 
the  reality  of  big  data  means  officers 
must  collect  more  than  just  a  suspect’s 
laptop.  They  also  need  to  gather  any 
loose  hard  drives,  modems,  routers, 
digital  cameras,  games  consoles  and, 
of  course  smartphones  and  tablets. 

Naked  Security,  the  blog  of  security 
vendor  Sophos,  polled  its  readers  to 
find  out  how  many  devices  they  car¬ 
ried  regularly.  The  average  was  about 
three,  with  one  person  reporting  that 
he  carried  12. 

A  Shifting  Legal  Strategy 

Jones  says  big  data  is  also  changing 
legal  strategy.  “It  has  long  been  the 
practice  when  one  side  gets  data  re¬ 
quests  for  trial  or  prosecution  to  del¬ 
uge  the  other  side  with  data,  under  the 


assumption  that  they’ll  never  find  what 
they’re  looking  for.  But  big  data  means 
they  can  find  it.  Even  worse,  given  the 
analytic  capability  of  the  tools,  they 
might  find  more  than  you  thought  they 
would.” 

“When  I  think  about  its  application 
to  investigations,  it  may  lead  to  more 
investigations,”  he  says. 

And  then  there  is  the  risk  of  violating 
personal  privacy.  As  experts  point  out, 
the  almost  magical  ability  of  big-data 
analytics  to  draw  connections  between 
seemingly  random  bits  of  data  can  be 
both  a  blessing  and  a  curse. 

David  Navetta,  in  a  post  on  Informa¬ 
tion  Law  Group,  illustrates  that  risk.  A 
person  who  consents  to  have  his  per¬ 
sonal  information  collected  and  used 
for  marketing  purposes  may  find  that 
his  information  ends  up  in  the  hands 
of  a  data  broker. 

If  that  person  buys  a  deep  fryer,  and 
that  information  ends  up  in  the  hands 
of  “a  health  insurance  company,  whose 
algorithms  put  people  who  purchase 
deep  fryers  into  a  high-risk  category, 
in  the  world  of  big  data,  the  initial,  rela¬ 
tively  innocuous  data  disclosure  (that 
was  consented  to),  could  suddenly 
serve  as  the  basis  to  deny  a  person 
health  care  (or  result  in  higher  health 
care  rates),”  Navetta  wrote. 

The  solution  to  that,  according  to 
a  number  of  experts,  is  to  anonymize 
the  data.  That,  in  fact,  is  one  of  the 
OCR’s  guidelines.  Navetta  notes  in  his 
post  that  HHS,  “sets  forth  two  meth¬ 


ods  to  achieve  de-identification  under 
HIPAA:  expert  determination  and  ‘safe 
harbor’  de-identification  (which  in¬ 
volves  removing  18  types  of  identifiers 
from  health  data).” 

That  may  not  be  good  enough,  how¬ 
ever.  Navetta  wrote  that,  “In  one  infa¬ 
mous  example,  as  part  of  a  contest  to 
create  abetter  movie  recommendation 
engine,  Netflix  released  an  anonymized 
data  set  containing  the  movie  rental 
histories  of  approximately  480,000  of 
its  customers.  Researchers  established 
that  they  could  re-identify  some  of  the 
Netflix  customers  at  issue  by  access¬ 
ing  and  analyzing  publicly  available 
information  concerning  movie  ratings 
performed  by  such  customers.” 

Rudis  appreciates  the  difficulty.  “My 
organization  has  had  legal  involved 
since  day  one  of  cross-organization 
sharing,”  he  says.  “Any  non-U.S.  orga¬ 
nization,  or  domestic  one  with  interna¬ 
tional  employees  and  customers,  will 
have  to  ensure  they  are  anonymizing 
well,  which  is  really  hard  to  do  when  you 
have  so  many  attributes  from  so  many 
systems  and  devices  brought  together.” 

Rudis  says  he  believes  the  risk  of  pri¬ 
vacy  violations  “is  significant  enough 
that  any  organization  looking  to  put 
in  large-scale  security  data  analytics 
should  also  budget  for  increased  in¬ 
surance  to  cover  any  fines  or  lawsuits 
that  emerge.” 


■  Taylor  Armerding  is  a  freelance  writer 
based  in  Massachusetts. 


May  2013  www.csoonline.com  31 


Ten  Tweets  Ratal  Los 

@Whlt3Rabbit 

HP's  security  industry  veteran  gives  us  his 
thoughts  on  careers  and  leadership,  and  shares 
his  philosophy  on  security  in  140  characters  or  less 


CSO:  How  long  have  you  been  in  security? 

Ratal  Los:  I’ve  been  doing  “security  tasks”  since  roughly 
’99,  but  been  strictly  security  since  2001.  Those  are  slightly 
different. 


What  first  brought  you  to  this  industry ? 

What  drew  me  to  the  security  industry  is  my  love  for 
solving  puzzles:  security  is  a  puzzle  made  up  of  many 
moving  parts. 


Agreed.  So  how  has  your  career  path  changed  over  time? 

When  I  was  younger,  everything  was  a  technical  puzzle; 
overtime  I’ve  adjusted  course  to  strategy,  where  big  issues 
are  solved. 

So  in  short,  early  on  in  my  career  every  answer  was 
technical:  now  I  realize  that’s  only  a  small  part  of  the 
big  picture. 


You’re  moving  from  senior  security  strategist  with  HP  to  a  new 
role.  Tell  us  about  it. 

I’m  taking  a  role  as  principal  at  HP  Enterprise  Security 
Services.  Reason:  Products  are  only  part  of  the  solution, 
people  are  the  rest. 


What  changes  are  you  looking  forward  to  with  the  new 
position? 

I’m  moving  from  talking  about  solutions  to  tough 
problems,  to  actually  working  on  solving  them  with 
customers,  which  is  awesome. 


You  mentioned  you  think  “. secure "  is  an  old  word  that  will 
eventually  be  replaced  by  something  else.  What? 

“Secure”  is  concrete  and  binary,  which  should  be  replaced. 
The  concept  I’m  using  (others  are  too)  is  “defensible,” 
which  is  logical. 


Can  you  describe  your  security  philosophy  in  140  characters  or 
less? 

There  is  no  “secure,”  organizations  must  prepare  to 
actively  defend  what  is  business-critical,  intelligently. 

IT  basics  are  key. 


Fill  in  the  blank.  If  /didn’t  work  in  security,  I  would  be... 

Sleeping  a  lot  more-only  half-kidding.  Working  in  law 
enforcement  in  some  way,  chasing  bad  guys. 


Tell  us  about  your  Twitter  handle.  What  was  the  inspiration  for 
@Whlt3Rabbit? 

I’m  a  BIG  “Alice  in  Wonderland”  fan,  and  of  course  “The 
Matrix,”  so  the  White  Rabbit  is  a  common  metaphor,  suits 
me  well. 


OK,  pass  the  buck  now.  Who  do  you  think  CSO  should  tweet 
with  next? 

Next?  I’d  go  with  @michaelkearn  or  @wgragido  or 
@rayumerley.  Or  all  of  ’em. 
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